IBM Support

RDi SSL connection fails with "!MESSAGE Error setting up keystore for Toolbox SSL"

Troubleshooting


Problem

Attempts to connect an IBM Rational Developer for i (RDi) client to an iSeries host using an SSL session results in the error "EVFA9113".

Symptom

You cannot connect to the i Series host using an SSL session from the RDi client.

Error log shows error and exception:

!ENTRY org.eclipse.rse.ui
!MESSAGE Error setting up keystore for Toolbox SSL.
!STACK 0
java.io.FileNotFoundException: C:\Program Files\IBM\SDP\jdk\jre\lib\security\jssecacerts (Access is denied.)

You may also receive the EVFA9113 error dialog stating that, The Secure connection to systemx could not be established.

Cause

RDi was not installed as administrator, so you cannot access the SSL keystore, or RDi was not started as an Administrator when the certificate was added to the keystore.

Diagnosing The Problem

Check <workspace>\.metadata\.log file for the following errors:

!ENTRY org.eclipse.rse.ui
!MESSAGE Error setting up keystore for Toolbox SSL.
!STACK 0
java.io.FileNotFoundException: C:\Program Files\IBM\SDP\jdk\jre\lib\security\jssecacerts (Access is denied.)
at java.io.FileOutputStream.<init>(FileOutputStream.java:115)
at com.ibm.etools.iseries.connectorservice.ToolboxConnectorSSLUtil.setupToolboxSSL(ToolboxConnectorSSLUtil.java:141)
at com.ibm.etools.iseries.connectorservice.ToolboxConnectorService.internalConnect(ToolboxConnectorService.java:153)
at org.eclipse.rse.core.subsystems.AbstractConnectorService$1.run(AbstractConnectorService.java:500)
at org.eclipse.rse.core.subsystems.AbstractConnectorService$SafeRunner.run(AbstractConnectorService.java:444)
at org.eclipse.rse.core.subsystems.AbstractConnectorService.connect(AbstractConnectorService.java:506)
at org.eclipse.rse.core.subsystems.SubSystem.connect(SubSystem.java:2545)
at org.eclipse.rse.internal.ui.actions.SystemConnectAllSubSystemsAction$ConnectAllJob.run(SystemConnectAllSubSystemsAction.java:75)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:53)

!ENTRY org.eclipse.rse.ui
!MESSAGE Error trying to establish secure connection to xx.x.xx.xx
!STACK 0
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Credentials Local CA, O=Credentials, L=xxx, ST=xx, C=xx is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.j.a(j.java:10)
at com.ibm.jsse2.qc.a(qc.java:359)
at com.ibm.jsse2.ab.a(ab.java:385)
at com.ibm.jsse2.ab.a(ab.java:258)
at com.ibm.jsse2.bb.a(bb.java:157)
at com.ibm.jsse2.bb.a(bb.java:590)
at com.ibm.jsse2.ab.r(ab.java:59)
at com.ibm.jsse2.ab.a(ab.java:24)
at com.ibm.jsse2.qc.a(qc.java:204)
at com.ibm.jsse2.qc.h(qc.java:391)
at com.ibm.jsse2.qc.a(qc.java:273)
at com.ibm.jsse2.h.write(h.java:30)
at java.io.OutputStream.write(OutputStream.java:86)
at com.ibm.as400.access.DataStream.write(DataStream.java:314)
at com.ibm.as400.access.SignonExchangeAttributeReq.write(SignonExchangeAttributeReq.java:64)
at com.ibm.as400.access.AS400ImplRemote.signonConnect(AS400ImplRemote.java:2346)
at com.ibm.as400.access.AS400ImplRemote.signon(AS400ImplRemote.java:2250)
at com.ibm.as400.access.AS400.sendSignonRequest(AS400.java:3035)
at com.ibm.as400.access.AS400.promptSignon(AS400.java:2599)
at com.ibm.as400.access.AS400.signon(AS400.java:3910)
at com.ibm.as400.access.AS400.connectService(AS400.java:1168)
at com.ibm.etools.iseries.connectorservice.ToolboxConnectorService.internalConnect(ToolboxConnectorService.java:167)
at org.eclipse.rse.core.subsystems.AbstractConnectorService$1.run(AbstractConnectorService.java:500)
at org.eclipse.rse.core.subsystems.AbstractConnectorService$SafeRunner.run(AbstractConnectorService.java:444)
at org.eclipse.rse.core.subsystems.AbstractConnectorService.connect(AbstractConnectorService.java:506)
at org.eclipse.rse.core.subsystems.SubSystem.connect(SubSystem.java:2545)
at org.eclipse.rse.internal.ui.actions.SystemConnectAllSubSystemsAction$ConnectAllJob.run(SystemConnectAllSubSystemsAction.java:75)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:53)
Caused by: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Credentials Local CA, O=Credentials, L=xxx, ST=xxx, C=xxx is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.jsse2.util.h.a(h.java:89)
at com.ibm.jsse2.util.h.b(h.java:72)
at com.ibm.jsse2.util.g.a(g.java:19)
at com.ibm.jsse2.yc.a(yc.java:113)
at com.ibm.jsse2.yc.a(yc.java:46)
at com.ibm.jsse2.yc.checkServerTrusted(yc.java:71)
at com.ibm.jsse2.bb.a(bb.java:336)
... 23 more
Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=Credentials Local CA, O=Credentials, L=xxx, ST=xxx, C=xx is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilde   rImpl.java:410)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:256)
at com.ibm.jsse2.util.h.a(h.java:22)
... 29 more
Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=Credentials Local CA, O=Credentials, L=xx, ST=xxx, C=xx is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:176)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:737)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:649)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:595)
at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:356)
... 31 more
Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:297)
at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108)
... 36 more

Resolving The Problem

Procedure:

Note: If you have already installed RDi as an Administrator, then you need only follow steps 3-6 below.

  1. Uninstall RDi

  2. Install RDi as an Administrator

  3. Start RDi as Administrator

  4. Right click on the RDi icon

  5. Select Run As Administrator

  6. Add the SSL certificate to the keystore

[{"Product":{"code":"SSAE4W","label":"Rational Developer for i"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"General Information","Platform":[{"code":"PF033","label":"Windows"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
02 August 2018

UID

swg21657131

Page Feedback