Skip to Content

In this blog, I am going to share how I fixed an login issue while trying to login to Cloud Platform Integration (CPI) tenant from Eclipse.

Symptom

I was able to connect and login to my CPI tenant from Eclipse (Neon) and doing anything I have to do, but no idea keeping login failed yesterday and I am pretty sure password is correct. The error message in the below is shown in Eclipse error log table:

com.sap.it.commons.command.CommandProcessingException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.sap.it.commons.command.http.apacheclient.BackendCommandDispatcherApache.executeRequest(BackendCommandDispatcherApache.java:431)
	at com.sap.it.commons.command.http.apacheclient.BackendCommandDispatcherApache.process(BackendCommandDispatcherApache.java:261)
	at com.sap.it.commons.command.SynchronousProcessorBase.process(SynchronousProcessorBase.java:24)
	at com.sap.it.commons.command.eclipsechannel.simplepref.controls.HttpServerConnection$2.run(HttpServerConnection.java:206)
......
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
	... 71 more

From error message, it’s very clear and pointing out that the certificate used by CPI is not in the trust list of local JDK keystore. I think maybe SAP updated CPI certificate recently, so this problem happened. Because it didn’t happen in last few months.

Solution

I think obviously the solution to fix this problem is to add CPI certificate into local JDK keystore. Here I am going to use a open source GUI tool call KeyStoreExplorer (http://keystore-explorer.org/) to achieve this. The tool is also mentioned in many other SAP blogs. I also use this tool to maintain/create required credentials for CPI when setting up SSH communication on CPI.

Firstly, you download and extract/install the program from official web site. I use JAR version from manual installation option and run following command prompt.

java -jar kse.jar

Second step, click “Open an existing KeyStore” and “by default” the keystore file “cacerts” is locate inside JDKFolder/jre/lib/security folder.

Third step, when you reach the right folder, pick up the right file and open it. The tool will prompt you entering password to open the keystore. Again “by default” the password is “changeit”.

Fourth step, if you didn’t change the password and file is not crash, you should be able to see many certificates inside the keystore. Now, we are going to add CPI certificate into the keystore. The easies way to do it is go to menu “Examine” –> “Examine SSL”.

In the dialog, you enter your tenant URL and SSL port 443, then click “OK” button.

The tool will retrieve the certificate as well as other certificates in the chain and showing on the screen. Next step, you select the root one, click “Import” button and give alias name to the certificate. After that the certificate will be imported into current open keystore.

The selected certificate should appear in the keystore list.

Last step, save the keystore and restart Eclipse. It solved my login problem.

Summary

Hopefully this blog helps someone who is encountering same problem like me and probably learn something that hasn’t seen before. Cheers.

 

 

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Naresh Dasika

    Hello Nick,

    Thanks for sharing this valuable information from your experience.

    Few questions here:

    Despite of not having “JDK Keystore” on my local machine am able to connect to HCI tenant without any issues?

    Is it mandatory to have a CPI public certificate stored on the local machine to access HCI tenant?

     

    Thanks,

    Naresh

     

    (0) 
    1. Nick Yang Post author

      Hi Naresh,

      If keystore not existing in the JDK used by Eclipse, then you will get the same error like I showing in this blog. It is required to have CPI certificate in local JDK keystore. Cheers.

      Regards,

      Nick

      (0) 
  2. Gayathri Narayana

    Hello,

    The SAP recommended tooling for managing your integration content including security artifacts like keystores and certificates for SAP Cloud Platform Integration is the web UI. Eclipse tooling is no longer supported (except for specific use cases), refer to blog https://blogs.sap.com/2018/02/15/sap-cloud-platform-integration-finalizes-web-application-for-integration-developers/

    regards,

    Gayathri

     

     

    (0) 
    1. Nick Yang Post author

      Hi Gayathri,

      Thanks for the information and reminder. Because I was developing custom adapter at the time. So, Eclipse is still the only way to go with. I use WebUI from the beginning to develop all the integration flows. Thanks.

      Regards,

      Nick

      (0) 

Leave a Reply