unable to find valid certification path to requested target

Two months ago my team moved to Security organization and took over the responsibility on Identity management / SSO demo landscape. This is an
integrated solution intended to benefit sales/presales people in better presenting products and integration to customers.

The live demo shows typical identity lifecycle use cases in a heterogeneous system landscape using SAP NetWeaver Identity Management (IDM).

Using the example of the BestRun Demo Company, it presents how SAP NetWeaver IDM manages the identity lifecycle. The visual below
illustrates the demo system landscape

 

Demo script itself covers five main use cases for Identity Management and integration with other SAP and non-SAP products. The demo is part from Solution Experience project which covers the most commonly used scenarios build on SAP software.

Our first main goal was to upgrade Identity Management to latest released version 7.2 SP8 and implement newly developed features.

One of the challenges we faced was the lack of newly issued SSL certificate for Active directory server used by Identity Management.

The use case was hiring of new employee in HR system presented by SAP ERP HCM and export to Identity Management. Identity management then is taking care to provision needed authorizations to the newly created user and to create users in Active Directory and other systems used in scenario.

During the provisioning procedure we were blocked with the following error message logged in job log of Identity Management.

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

The whole stack trace was:

ToDSADirect.init got exception, returning false.
– URL:ldap://<host>:<port> javax.naming.CommunicationException: cldvmxwi00041:636 [Root exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target].

Thoughts, analysis, testing and work:

The first thing which came to my mind was to have a look at CSS and check do we have the issue already reported so I found customer’s ticket 674366 2012 in CSS system. Unfortunately the root cause was not found but there were some advices for further investigation which I found as useful.

Solution:

1. Ensure that you have downloaded the latest issued server certificate from Active directory. In case you do not have RDP access you can download it using Open SSL

2. Increase the stack trace level of Dispatcher in Identity Management: Dispatcher->Policy->Java Runtime engine->Log level = Debug

3. Reproduce the issue, go to job log and identify java home

4. Import the certificate in the correct keystore as described in section 7.4.1 of SAP NetWeaver Identity Management security guide