IBM Support

TM1 API Connection failure in Java with Certificate chaining error

Troubleshooting


Problem

When making a connection to TM1 with a java application a javax.net.ssl.SSLHandshakeException error is received , it complains that the Applix certificate is not trusted, and follows with a Certificate chaining error.

Symptom

The following java stack trace is received :



javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by OU="Applix, Inc.", O="Applix, Inc.", L=Westboro, ST=Massachusetts, C=US is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error at com.ibm.jsse2.n.a(n.java:3) at com.ibm.jsse2.jc.a(jc.java:501) at com.ibm.jsse2.db.a(db.java:144) at com.ibm.jsse2.db.a(db.java:416) at com.ibm.jsse2.eb.a(eb.java:89) at com.ibm.jsse2.eb.a(eb.java:291) at com.ibm.jsse2.db.m(db.java:192) at com.ibm.jsse2.db.a(db.java:79) at com.ibm.jsse2.jc.a(jc.java:184) at com.ibm.jsse2.jc.g(jc.java:257) at com.ibm.jsse2.jc.a(jc.java:361) at com.ibm.jsse2.jc.startHandshake(jc.java:304) at com.applix.tm1.TM1NetClass.Connect(TM1NetClass.java:116) at com.applix.tm1.TM1Bean.getAdmEntryList(TM1Bean.java:349) at com.applix.tm1.TM1Bean.getNumberOfServers(TM1Bean.java:198) at com.applix.tm1.TM1Bean.findEntryByServerName(TM1Bean.java:429) at com.applix.tm1.TM1Bean.openConnection(TM1Bean.java:110) at HMI.testTM1Function.main(testTM1Function.java:47) Caused by: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by OU="Applix, Inc.", O="Applix, Inc.", L=Westboro, ST=Massachusetts, C=US is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error at com.ibm.jsse2.util.f.b(f.java:49) at com.ibm.jsse2.util.f.b(f.java:16) at com.ibm.jsse2.util.e.a(e.java:2) at com.ibm.jsse2.yb.checkServerTrusted(yb.java:46) at com.ibm.jsse2.hb.checkServerTrusted(hb.java:22) at com.ibm.jsse2.eb.a(eb.java:8)

Cause

The root cause is that the Applix certificate from the TM1 installation is not present in the Java Environment Keystore.

Environment

This can happen in any java environment, Linux, Unix or Windows. When developing code, there may exist more then one Java environment for testing purposes.

In case your JAVA_HOME will not be set , or control of the Java version used is defined elsewhere, the certificate needs to be added to each Java environment to ensure that connections to TM1 Server can be made.

Diagnosing The Problem

Compare the Java Stack trace error above with the one received, and if it is matching closely, this Technote will apply.

Resolving The Problem

Add the Applix certificate to the local JRE Environment keystore.

Shown are the Steps in the Windows command window :

1. Set JAVA_HOME to your JRE path.

example : set JAVA_HOME=D:/ibm/java50/jre

2. Load the TM1 certificate file into the Java Keystore with the keytool application from java.

example, doing this from the D:/TM1/bin/ssl directory path :


D:\TM1_941\bin\ssl>%JAVA_HOME%/bin/keytool -import -keystore %JAVA_HOME%/lib/security/cacerts -file D:/TM1_941/bin/ssl/applixca.pem

Then :
Enter keystore password: changeit
<== This is the default password.
Response :
Owner: OU="Applix, Inc.", O="Applix, Inc.", L=Westboro, ST=Massachusetts, C=US

Issuer: OU="Applix, Inc.", O="Applix, Inc.", L=Westboro, ST=Massachusetts, C=US

Serial number: c7cb4af62c85650a

Valid from: 11/27/06 3:48 PM until: 11/24/16 3:48 PM

Certificate fingerprints:

MD5: D9:2F:A5:40:3E:89:04:83:0F:F6:0E:25:54:2C:2A:A9

SHA1: AC:69:F8:FE:6F:37:5D:D6:90:90:8F:C8:99:9A:F0:EA:C3:2B:0C:E9


Trust this certificate? [no]: Y <== ensure to select yes.
The Certificate was added to the Java keystore.

Repeat the above steps for all the different JAVA JRE's that you may work with, setting your JAVA_HOME path accordingly.

[{"Product":{"code":"SS9RXT","label":"Cognos TM1"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"TM1 API","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF010","label":"HP-UX"}],"Version":"9.5.2;9.5.1;9.5;9.4 MR1;9.4;10.1.0;10.1.1;10.2","Edition":"Edition Independent","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
24 February 2020

UID

swg21414527