sun.security.validator.ValidatorException: PKIX path building failed:

com.iplanet.services.comm.client.SendRequestException: sun.security.validator.ValidatorException: PKIX path building failed:

Refer 1:

Fix for PKIX path building failed Error:sun.security.provider.certpath.SunCertPathBuilderException

All you need to do to fix this error is to add the server certificate to your trusted Java key store. First You need to download the document from the server.

To download:access the URL of the service from any browser.You will get a certificate related warning message. Click on view certificate and then Install certificate. You can export the certificate from browser to some location in hard drive (In IE go to Tools->’Internet Options’ ->Content->Certificates).

Once you have the certificate in your hard drive you can import it to the Java trust store. To import the certificate to the trusted Java key store, you can use the java ‘keytool‘ tool.
Usekeytoolcommand as follows to import the certificate to JRE.

keytool -import -alias _alias_name_ -keystore ..\lib\security\cacerts -file _path_to_cer_file

It will ask for a password. By default the password is “changeit”. If the password is different you may not be able to import the certificate.
Note:You can also use theinstallcertjava program fromhere.
Once completed restart/re-run your client application. You will be able to see successful SSL handshakes.

Refer 2:

I did with following steps but its throwing exception:

1.I have installed openam 10.0.0 on windows server 2003.

2.Configured tomcat with ssl on the same windows server machine.

3.It is configured correctly and openam url is accessible with https.

4.Installed openam client sdk on another machine which is ubuntu machine and from that ubuntu machin i am trying to login to openam server using

        AuthContext lc = new AuthContext("/","https://server.ensarm.com:8443/openam/namingservice");
        AuthContext.IndexType indexType = AuthContext.IndexType.MODULE_INSTANCE;
        lc.login(indexType, "DataStore");
        return lc;

But i am getting following exception:

ERROR: Naming service connection failed for https://server.ensarm.com:8443/openam/namingservice
com.iplanet.services.comm.client.SendRequestException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I didn't understand what could be the problem.Is it due to to my java keystore (needed for ssl configuration) is on windows server machine and i have no keystore on ubuntu machine,

OR

need to import keystore into ubuntu machine.?? Please can anyone help me to get out of this.

8 down vote accepted

“javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:”It means the server does not have a valid certificate from an Authorized CA. You are facing this exception because you are try to connect through SSL (https). You would need to import the server certificate into the JRE KeyStore. Perform the following steps to resolve it: Getting the certificate: Type the URL (e.g.https://server.ensarm.com:8443/openam/namingservice) in your browser. You will now probably see a dialog box warning you about the certificate. Now click on the 'View Certificate' and install the certificate. Ignore any warning messages. Next step would be to install export the certificate and installing it in the jre keystore. Use keytool certificate management utility to perform thishttp://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html . Exporting certificate: Go to Tools->'Internet Options' ->Content->Certificates. Once you open the certificates, locate the one you just installed under 'Trusted Root Certification Authorities". Select the right one and click on 'export'. You can now save it (DER encoded binary) as e.g. mycert.cer. Go to JRE\BIN and use the keytool -import command to import the file into your cacerts keystore. E.g. keytool --import -alias MYCA -keystore ..\lib\security\cacerts -file c:\mycert.cer. Enter keystore password: (by default it will be “changeit”).Input “yes” to the prompts. Run command keytool -list -keystore ..\lib\security\cacerts . You will now see a list of all the certificates including the one you just added.