IBM Support

IBM Business Process Manager (BPM) cannot connect to Blueworks Live due to a missing or expired certificate prior to V8.5.6.0

Troubleshooting


Problem

If you subscribe to Blueworks Live processes from IBM Process Designer in a version of IBM Business Process Manager (BPM) prior to V8.5.6.0, you might encounter a connectivity problem because the Blueworks Live certificate in the WebSphere Default Trust Store is missing or has expired.

Symptom

A CertPathValidatorException or CertPathBuilderException might be returned in the subscription page of Process Designer, or it might be found in the SystemOut.log file. Additionally, a window might indicate a failure to retrieve a valid Blueworks Live signer certificate.

Cause

The signer certificate for Blueworks Live that is shipped with older versions of IBM Business Process Manager has expired. Also, the certificate is no longer imported during the installation process into IBM Business Process Manager V8.5.

Environment

This issue pertains to all supported platforms, architectures, and versions of IBM Business Process Manager that are running on IBM WebSphere Application Server.

Diagnosing The Problem

On some versions of IBM Business Process Manager, you might see an error window that looks like the following image:

The message says: "com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:


java.security.cert.CertPathValidatorException: The certificate issued by OU=???, O=???, C=?? is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error"

Or, you might see an error window that looks like the following image:



The message says: "Failed to retrieve a valid Blueworks Live signer certificate."

Starting with BPM V8.5.6.0, there is a dedicated SSL configuration pointing to a dedicated SSL truststore that contains the expected signer certificate for blueworks live. If you experience certificate validation issues in BPM V8.5.6.0 or later, check the signer certificate in WebSphere Administrative Console under SSL certificate and key management > Key stores and certificates > BlueWorksLiveTrustStore > Signer certificates. The expected certificate is from geotrust.

If Blueworks Live changed the signer of their certificate or some network intermediary presents a different certificate, you can import the expected signer using the "Retrieve from port" button. Use hostname www.blueworkslive.com and port 443 for retrieving the signer certificate and double check whether it meets your expectation before importing.

Resolving The Problem

Before you can subscribe to Blueworks Live processes, the administrator must import the Blueworks Live signer certificates into the IBM Business Process Manager server truststore. For more information, see Adding a signer certificate to the default signers keystore in the WebSphere Application Server Information Center.

A related problem that can occur is the incorrect trust store is selected for performing certificate checks. Verify that APAR JR46822 is installed, if it is applicable to your version of IBM Business Process Manager.

To resolve the incorrect trust store issue, complete the following steps:

  1. Log in to the administrative console.

  2. Expand the Security category.

  3. Select SSL certificate and key management.

  4. Under the Related Items section, select Key stores and certificates.

  5. Select CellDefaultTrustStore for IBM Business Process Manager Standard or IBM Business Process Manager Advanced, which are Network Deployment topologies or select NodeDefaultTrustStore for IBM Business Process Manager Express.

  6. Under Additional Properties, select Signer certificates.

  7. If you have not downloaded the certificates from Blueworks Live, complete the following steps:
    1. Select Retrieve from port and specify www.blueworkslive.com for the host name and 443 for the port number.
    2. Choose a memorable alias, such as "Blueworks Live."
    3. Select Retrieve signer information and verify the information in the certificate.
    4. If the certificate is correct, select OK and select the Save the settings to the master configuration option if prompted.

  8. If you have previously downloaded the certificates from Blueworks Live, complete the following steps:
    1. Select Add.
    2. Specify the path to the certificate file
    3. Choose a memorable alias, such as "Blueworks Live."
    4. Select OK and select the Save the settings to the master configuration option if prompted.

  9. Restart the IBM Business Process Manager cluster.


You can complete the same action with the following command-line wsadmin script:
AdminTask.retrieveSignerInfoFromPort('[-host blueworkslive.com -port 443 -sslConfigName CellDefaultSSLSettings -sslConfigScopeName (cell):PCCell1 ]')
    Alternatively, you can complete the following steps to add signer certificates using the IBM Key Manager tool:
    1. Download the Blueworks Live certificate from the following URL: https://www.blueworkslive.com/certificate.txt

    2. Run the IBM Key Management tool, which is located at WAS_Install_Root\bin\ikeyman.bat.

    3. Change the key database type to PKCS12, select your trust store. and select OK.

      The default trust store is named trust.p12 and is located in the deployment manager profile directory for IBM Business Process Manager Standard and IBM Business Process Manager Advanced installations or in the node direct for IBM Business Process Manager Express installations. For example, the path might be:
      WAS_Install_Rootprofiles\DmgrProfile\config\cells\PCCell1\trust.p12.

    4. If prompted for the trust store password, use the default password, which is WebAS.

    5. Under Key database content, select the Signer Certificates category.

    6. Click Add and navigate to the downloaded certificate file that you downloaded earlier. You might need to select All files if the certificate file is not listed.

    7. Choose a memorable label for the certificate, such as "Blueworks Live" and select OK.
      The trust store is saved automatically.

    8. Exit the IBM Key Management tool.

    9. Restart the IBM Business Process Manager server.

    [{"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.6;8.5.5;8.5;8.0.1;8.0;7.5.1;7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSFTBX","label":"IBM Business Process Manager Express"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.5.6;8.5.5;8.5;8.0.1;8.0;7.5.1;7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.6;8.5.5;8.5;8.0.1;8.0;7.5.1;7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSFPRP","label":"WebSphere Lombardi Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.2;7.1;6.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

    Product Synonym

    BPM

    Document Information

    Modified date:
    15 June 2018

    UID

    swg21614684