Certificate error while connecting to MQ through HermesJMS - ssl

I am not very much familiar with HermesJMS.
I have HermesJMS configured to connect some MQs sometime back and it was working fine. then I stopped using it. Now I am trying to connect to the same set of MQs, I am getting below error.
com.ibm.mq.MQException: MQJE001: Completion Code 2, Reason 2397
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:282)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11._createManagedConnection(MQClientManagedConnectionFactoryJ11.java:301)
at com.ibm.mq.MQClientManagedConnectionFactoryJ11.createManagedConnection(MQClientManagedConnectionFactoryJ11.java:323)
at com.ibm.mq.StoredManagedConnection.<init>(StoredManagedConnection.java:84)
at com.ibm.mq.MQSimpleConnectionManager.allocateConnection(MQSimpleConnectionManager.java:173)
at com.ibm.mq.MQQueueManagerFactory.obtainBaseMQQueueManager(MQQueueManagerFactory.java:795)
at com.ibm.mq.MQQueueManagerFactory.procure(MQQueueManagerFactory.java:709)
at com.ibm.mq.MQQueueManagerFactory.constructQueueManager(MQQueueManagerFactory.java:664)
at com.ibm.mq.MQQueueManagerFactory.createQueueManager(MQQueueManagerFactory.java:160)
at com.ibm.mq.MQQueueManager.<init>(MQQueueManager.java:554)
at com.ibm.mq.MQSPIQueueManager.<init>(MQSPIQueueManager.java:62)
at com.ibm.mq.jms.MQConnection.createQM(MQConnection.java:2513)
at com.ibm.mq.jms.MQConnection.createQMNonXA(MQConnection.java:1936)
at com.ibm.mq.jms.MQQueueConnection.<init>(MQQueueConnection.java:161)
at com.ibm.mq.jms.MQQueueConnectionFactory.createQueueConnection(MQQueueConnectionFactory.java:222)
at com.ibm.mq.jms.MQQueueConnectionFactory.createConnection(MQQueueConnectionFactory.java:1077)
at hermes.impl.jms.ConnectionManagerSupport.createConnection(ConnectionManagerSupport.java:126)
at hermes.impl.jms.ConnectionSharedManager.reconnect(ConnectionSharedManager.java:77)
at hermes.impl.jms.ThreadLocalSessionManager.reconnect(ThreadLocalSessionManager.java:148)
at hermes.impl.DefaultHermesImpl.reconnect(DefaultHermesImpl.java:130)
at hermes.impl.DefaultHermesImpl.getDestination(DefaultHermesImpl.java:364)
at hermes.browser.tasks.BrowseDestinationTask.invoke(BrowseDestinationTask.java:141)
at hermes.browser.tasks.TaskSupport.run(TaskSupport.java:175)
at hermes.browser.tasks.ThreadPool.run(ThreadPool.java:170)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.ibm.mq.SSLHelper.configureSSLSocket(SSLHelper.java:768)
at com.ibm.mq.SSLHelper.createSSLSocket(SSLHelper.java:154)
at com.ibm.mq.MQInternalCommunications.createSocketConnection(MQInternalCommunications.java:2335)
at com.ibm.mq.MQv6InternalCommunications$1.run(MQv6InternalCommunications.java:169)
at java.security.AccessController.doPrivileged(Native Method)
at com.ibm.mq.MQv6InternalCommunications.initialize(MQv6InternalCommunications.java:166)
at com.ibm.mq.MQv6InternalCommunications.<init>(MQv6InternalCommunications.java:114)
at com.ibm.mq.MQSESSIONClient.MQCONNX(MQSESSIONClient.java:1458)
at com.ibm.mq.MQSESSIONClient.spiConnect(MQSESSIONClient.java:4610)
at com.ibm.mq.MQManagedConnectionJ11.<init>(MQManagedConnectionJ11.java:246)
... 24 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 42 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 48 more
I know this is something to do with the certificate as it is giving SSLHandshakeException, but I am not pretty sure where I should be checking the configuration.
As per my knowledge there is no change in the configuration. (I can't be sure about it as MQs are managed by a different team and they don't bother to communicate the changes to rest of the world).
How can I verify and confirm if it is the certificate issue and no other configuration problem.

If you doesn't change nothing in your configuration the most probably thing is that the service endpoint change or renew its server domain certificate and due this it's not a trusted certificate for your configuration anymore.
To solve the problem you need to add the certificate authority in your truststore (or directly the server domain certificate for a selfsigned certs).
SOAPUI it's Java based, and Java comes with its own truststore. The good practice is to add the CA certificates to your truststore (however it's possible to only add the server certificate). You can add it using keytool with the follow command:
keytool -import -alias <someAlias> -file <certificatePath> -keystore <trustStorePath>
Depends on your SOAPUI installation the truststore location can differs, if you have a JRE bundled inside SOAPUI then your truststore are in SOAPUI_HOME/jre/lib/security/cacerts if not, then is in your Java installation which runs SOAPUI in $JAVA_HOME/JRE/Security/cacerts (default password for both are changeit).
Hope it helps,

Related

WSO2 EI: Expired certificate error when connecting from embedded MI to EI analytics server

Downloaded wso2ei-analytics-7.1.0 and started the server and dashboard. Then I enabled statistics for the APIs and endpoints and added the following config into the embedded MI of the Integration studio:
[mediation]
flow.statistics.enable=true
stat.tracer.collect_payloads=true
stat.tracer.collect_mediation_properties=true
flow.statistics.capture_all=true
When starting the embedded MI I get the following error saying some certificate has expired:
[2022-06-23 09:47:40,001] ERROR {DataEndpointConnectionWorker} - Error while trying to connect to the endpoint. Cannot borrow client for ssl://localhost:7712. org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Cannot borrow client for ssl://localhost:7712.
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:145)
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.run(DataEndpointConnectionWorker.java:59)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Error while trying to login to the data receiver.
at org.wso2.carbon.databridge.agent.endpoint.thrift.ThriftDataEndpoint.login(ThriftDataEndpoint.java:54)
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:139)
... 6 more
Caused by: org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
at org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:161)
at org.apache.thrift.TServiceClient.sendBase(TServiceClient.java:65)
at org.wso2.carbon.databridge.commons.thrift.service.secure.ThriftSecureEventTransmissionService$Client.send_connect(ThriftSecureEventTransmissionService.java:104)
at org.wso2.carbon.databridge.commons.thrift.service.secure.ThriftSecureEventTransmissionService$Client.connect(ThriftSecureEventTransmissionService.java:95)
at org.wso2.carbon.databridge.agent.endpoint.thrift.ThriftDataEndpoint.login(ThriftDataEndpoint.java:47)
... 7 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1339)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1214)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1157)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1403)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:814)
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1184)
at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
at org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:159)
... 11 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1323)
... 26 more
Caused by: java.security.cert.CertPathValidatorException: validity check failed
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:237)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:145)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:84)
at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364)
... 32 more
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Jan 25 13:00:43 IST 2022
at java.base/sun.security.x509.CertificateValidity.valid(CertificateValidity.java:277)
at java.base/sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:675)
at java.base/sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
I am assuming the MI trust store does not have the correct certificate. But how do I resolve this?
Go to your Analytics server and then export the public key from the Keytore with the following command. The default password is wso2carbon
keytool -export -alias wso2carbon -keystore wso2carbon.jks -file <public key name>.pem
Then in your MI server, import the public key that you extracted to the client-trustore.
keytool -import -alias analyticskey -file <public key name>.pem -keystore client-truststore.jks -storepass wso2carbon

Getting an error when starting Jenkins with PEM certificate

I recently set up my jenkins ci server, and I wanted to add HTTPS SSL certification. I got a certificate from Let's Encrypt and I have the certificate and private key as PEM files, according to the documentation, I can pass the paths of the two files to jenkins by command-line arguments(I use the integrated Winston server in the jenking WAR file). My startup command looks like this:
java -jar jenkins.war
--httpPort=8080
--httpsPort=443
--httpsCertificate=path/to/certificate.pem
--httpsPrivateKey=path/to/key.pem
But when I start jenkins I get this error:
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:212)
at winstone.Launcher.<init>(Launcher.java:172)
at winstone.Launcher.main(Launcher.java:355)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at Main._main(Main.java:375)
at Main.main(Main.java:151)
Caused by: winstone.WinstoneException: Cannot load private key; try using a Java keystore instead.
at winstone.AbstractSecuredConnectorFactory.readPEMRSAPrivateKey(AbstractSecuredConnectorFactory.java:156)
at winstone.AbstractSecuredConnectorFactory.configureSsl(AbstractSecuredConnectorFactory.java:81)
at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:33)
at winstone.Launcher.spawnListener(Launcher.java:210)
... 8 more
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at winstone.AbstractSecuredConnectorFactory.readPEMRSAPrivateKey(AbstractSecuredConnectorFactory.java:151)
... 11 more
Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48
at sun.security.util.DerValue.getBigInteger(DerValue.java:545)
... 16 more
2020-05-02 16:14:21.351+0000 [id=1] SEVERE winstone.Logger#logInternal: Container startup failed
java.io.IOException: DerValue.getBigInteger, not an int 48
at sun.security.util.DerValue.getBigInteger(DerValue.java:545)
Caused: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at winstone.AbstractSecuredConnectorFactory.readPEMRSAPrivateKey(AbstractSecuredConnectorFactory.java:151)
Caused: winstone.WinstoneException: Cannot load private key; try using a Java keystore instead.
at winstone.AbstractSecuredConnectorFactory.readPEMRSAPrivateKey(AbstractSecuredConnectorFactory.java:156)
at winstone.AbstractSecuredConnectorFactory.configureSsl(AbstractSecuredConnectorFactory.java:81)
at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:33)
at winstone.Launcher.spawnListener(Launcher.java:210)
Caused: java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:212)
at winstone.Launcher.<init>(Launcher.java:172)
at winstone.Launcher.main(Launcher.java:355)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at Main._main(Main.java:375)
at Main.main(Main.java:151)
The old jenkins documentation has notes on using java keystore, not sure why the latest (2.235.3) has changed HTTPS notes to using pem/key files.
You may refer to https://github.com/garyttt/unattended_jenkins_image_build, pick up the shell functions and run the generate_self_signed_jks.sh to generate a testing .jks file.
The syntax is for example:
JENKINS_OPTS="--prefix=/jenkins --httpPort=-1 --httpsPort=8083 --httpsKeyStore=/var/jenkins_home/selfsigned.jks --httpsKeyStorePassword=secret"
In case you need the content of the shell function, it is:
$ display_shell_function generate_self_signed_jks
generate_self_signed_jks ()
{
keytool -genkey -keyalg RSA -alias selfsigned -keystore selfsigned.jks -validity 365 -keysize 4096;
keytool -export -alias selfsigned -keystore selfsigned.jks -rfc -file selfsigned.cer;
keytool -list -v -keystore selfsigned.jks;
keytool -importkeystore -srckeystore selfsigned.jks -destkeystore selfsigned.p12 -deststoretype pkcs12
}
OR
You may convert .pem file to .jks as per convert certificate from pem into jks

SOLR not starting with SSL

I have setup solr on local system. It works fine without ssl however for SSL solr gives exception:
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.eclipse.jetty.start.Main.invokeMain(Main.java:214)
at org.eclipse.jetty.start.Main.start(Main.java:457)
at org.eclipse.jetty.start.Main.main(Main.java:75)
Caused by: java.io.IOException: Invalid keystore format
I have generated p12 and jks using commands:
“C:\Program Files\Java\jdk-10.0.1\bin\keytool.exe” -genkeypair -alias solr-ssl -keyalg RSA -keysize 2048 -keypass secret -storepass secret -validity 9999 -keystore solr-ssl.keystore.jks -ext SAN=DNS:localhost,IP:127.0.0.1 -dname “CN=localhost, OU=Organizational Unit, O=Organization, L=Location, ST=State, C=Country”
and
“C:\Program Files\Java\jdk-10.0.1\bin\keytool.exe” -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.p12 -srcstoretype jks -deststoretype pkcs12
Kept secret as password for all phrases. Copied the jks and p12 file to solr-6.6.2/server/etc folder. Updated the solr.in.cmd file and uncommented these lines:
SET SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.jks
SET SOLR_SSL_KEY_STORE_PASSWORD=secret
SET SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.jks
SET SOLR_SSL_TRUST_STORE_PASSWORD=secret
SET SOLR_SSL_NEED_CLIENT_AUTH=false
SET SOLR_SSL_WANT_CLIENT_AUTH=false
SET SOLR_SSL_KEY_STORE_TYPE=JKS
SET SOLR_SSL_TRUST_STORE_TYPE=JKS
When I try to run with: solr -p 8984 it gives the above said exception.
Can you please help me out with the setup. Been googling but can't seem to find the resolution.
Ok I have resolved the issue. Seems like my java version was
"1.8.0 ea"
. When I uninstalled and reinstalled the new version
"1.8.0_171"
, solr started in https.
I also tried java version 10 and it had the same issue with solr 6.6.2

Unable to call adapter procedure in MobileFirst V8.0 Consumer Edition

I am using MobileFirst V8.0 Consumer Edition. I have setup a test server for my app. When I am calling the adapter procedure(which is protected by the security check) from the mobile app I am getting below error in the server:
[8/25/16 15:10:08:879 CDT] 0000010b com.ibm.mfp.server.az.internal.ConfidentialClientHelper E Unable to sign access token
com.ibm.mfp.server.security.shared.webtoken.WebTokenException: com.ibm.mfp.server.security.shared.webtoken.WebTokenException: Unsupported credentials type
at com.ibm.mfp.server.security.shared.webtoken.JWS.sign(JWS.java:191)
at com.ibm.mfp.server.az.internal.ConfidentialClientHelper.generateAccessToken(ConfidentialClientHelper.java:94)
at com.ibm.mfp.server.az.internal.token.TokenEndpointImpl.generateTokenResponse(TokenEndpointImpl.java:170)
at com.ibm.mfp.server.az.internal.token.TokenEndpointImpl.serveAuthorizationCodeGrantType(TokenEndpointImpl.java:147)
at com.ibm.mfp.server.az.internal.token.TokenEndpointImpl.getToken(TokenEndpointImpl.java:96)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.springframework.web.method.support.InvocableHandlerMethod.doInvoke(InvocableHandlerMethod.java:221)
at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:137)
at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:110)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:776)
at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:705)
at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:85)
at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:966)
at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:868)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:595)
at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:842)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1285)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:776)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:473)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1104)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:81)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:912)
at com.ibm.ws.webcontainer.osgi.DynamicVirtualHost$2.run(DynamicVirtualHost.java:262)
at com.ibm.ws.http.dispatcher.internal.channel.HttpDispatcherLink$TaskWrapper.run(HttpDispatcherLink.java:955)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.ibm.mfp.server.security.shared.webtoken.WebTokenException: Unsupported credentials type
at com.ibm.mfp.server.security.shared.webtoken.PKICredentials.getRsaPublicKey(PKICredentials.java:120)
at com.ibm.mfp.server.security.shared.webtoken.PKICredentials.createWebKey(PKICredentials.java:96)
at com.ibm.mfp.server.security.shared.webtoken.PKICredentials.createHeader(PKICredentials.java:48)
at com.ibm.mfp.server.security.shared.webtoken.JWS.sign(JWS.java:186)
... 32 more
Also, I am using User Defined keystore in my MFP server Instance.
I Regenerated the keystore using below command with -keyalg RSA option as described in this documentation and reconfigured the keystore and this error went away:
keytool -keystore <keystore name> -genkey -alias <alias name> -keylag RSA
Earlier I refered the guide in MFP Console named Create Your Own keystore in the MobileFirst Console from following location Runtime Settings --> Keystore and there -keyalg RSA option was missing.

unable to find valid certification path to requested target(sun.security.provider.certpath.SunCertPathBuilderException: )

I have a worklight application which is deployed on worklight V6.0, trying to hit LDAP server for authentication...and trying for https enablement for the application.
I am getting below exceptions.
javax.naming.CommunicationException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
[Root exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target]; remaining name
'ou=bluepages,o=ibm.com'
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
please suggest.
Thanks
Looks like the LDAP server secured by self signed key and the worklight keystore hasn't its public certificate.
Check the keystore defined by "ssl.keystore.*" in worklight.properties file and import LDAP certificate into the keystore if it needed.
The solution that worked for me:
Install the certificate using keytool command in the correct jre folder. My eclipse was using the jre for execution and earlier I installed the certificates in jdk folder.
keytool -import -trustcacerts -keystore "C:\Program Files\Java\jre1.8.0_192\lib\security\cacerts" -storepass changeit -alias LDAPRoot -import -file "xxxxxxxx.cer