Documentation
API
Q&A
Read
AnnouncementsArticlesWebsite tips
Learn
Getting StartedManagerMaestroAnalyticsExchangeWorkspaces
Resources
VideosDownloadsExchange PackagesRelease Notes
Ideas
Contact
Platform
Manager
Maestro
Exchange
Workspaces
Analytics
Springboard

SSL Certificate Chain Issues in Transact SDK

   Transact APIThis topic is related to a legacy Transact API product.  |    Platform Developer  |  All versions This feature is related to all versions.

When attempting to use the SDK to deploy a form to a Transact server (using the app-deploy Ant task), you may encounter the following error:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This error occurs when the server has a SSL certificate where the certificate chain cannot be resolved, and therefore cannot be trusted. This should only occur on non-production systems, if it occurs on a production system, it indicates an error that you should fixed.

Fixing this error is relatively straight forward, although a little tedious.

Download all the certificates for the Manager server

Log in to Manager, and then follow the following article to download all the certificates in the certificate chain:

http://docs.bvstools.com/home/ssl-documentation/exporting-certificate-authorities-cas-from-a-website

Note that you do need all the certificates in the chain - although some of them may already be installed in your Java default certificate store.

This online checker may also help to understand your site's certificates: https://www.sslchecker.com/sslchecker

Install the certificates into the Java SDK

First identify the correct JDK installation. This should be the one that is configured in your IDE to be used when running the Ant tasks. (Refer to IDE tool to determine this.)

Then open a command prompt, and navigate into the java/jdk-xxx/bin directory, then execute the following commands:

Command Description
keytool -cacerts-list List. This dumps a list of the existing certificates in the store. If this runs successfully, then you are ready to run actual commands.
keytool -cacerts -import -trustcacerts -storepass changeit -alias your_lias -file "C:\temp\somecert.cer"

Import. This imports one of the downloaded certificates into the certificate store. You should start with the top level certificate, and work your way down. If you get a message saying the certificate already exists, don't import it.
keytool -delete -cacerts -storepass changeit -alias <somealias> Delete. If you accidentally do the wrong thing, you can remove a certificate using this command.

Please notes the following:

  • More recent versions of keytool use the -cacerts command to identify the default cacerts store. If your version of Java does not support this option, replace with -keystore ../lib/security/cacerts
  • -storepass <password> specifies the password is the cacerts file. The default password is "changeit".
  • -alias your_alias - you can use any alias you want, but it should match the certificate name.
  • The commands are for a Windows installation - other platforms may vary.

Next, learn about the benefits of using Groovy in Manager.