JDK Keystore with Eclipse Cloud Platform Integration tool

In this blog, I am going to share how I fixed an login issue while trying to login to Cloud Platform Integration (CPI) tenant from Eclipse.

Symptom

I was able to connect and login to my CPI tenant from Eclipse (Neon) and doing anything I have to do, but no idea keeping login failed yesterday and I am pretty sure password is correct. The error message in the below is shown in Eclipse error log table:

com.sap.it.commons.command.CommandProcessingException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.sap.it.commons.command.http.apacheclient.BackendCommandDispatcherApache.executeRequest(BackendCommandDispatcherApache.java:431)
	at com.sap.it.commons.command.http.apacheclient.BackendCommandDispatcherApache.process(BackendCommandDispatcherApache.java:261)
	at com.sap.it.commons.command.SynchronousProcessorBase.process(SynchronousProcessorBase.java:24)
	at com.sap.it.commons.command.eclipsechannel.simplepref.controls.HttpServerConnection$2.run(HttpServerConnection.java:206)
......
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
	... 71 more

From error message, it’s very clear and pointing out that the certificate used by CPI is not in the trust list of local JDK keystore. I think maybe SAP updated CPI certificate recently, so this problem happened. Because it didn’t happen in last few months.

Solution

I think obviously the solution to fix this problem is to add CPI certificate into local JDK keystore. Here I am going to use a open source GUI tool call KeyStoreExplorer (http://keystore-explorer.org/) to achieve this. The tool is also mentioned in many other SAP blogs. I also use this tool to maintain/create required credentials for CPI when setting up SSH communication on CPI.

Firstly, you download and extract/install the program from official web site. I use JAR version from manual installation option and run following command prompt.

java -jar kse.jar

Second step, click “Open an existing KeyStore” and “by default” the keystore file “cacerts” is locate inside JDKFolder/jre/lib/security folder.

Third step, when you reach the right folder, pick up the right file and open it. The tool will prompt you entering password to open the keystore. Again “by default” the password is “changeit”.

Fourth step, if you didn’t change the password and file is not crash, you should be able to see many certificates inside the keystore. Now, we are going to add CPI certificate into the keystore. The easies way to do it is go to menu “Examine” –> “Examine SSL”.

In the dialog, you enter your tenant URL and SSL port 443, then click “OK” button.

The tool will retrieve the certificate as well as other certificates in the chain and showing on the screen. Next step, you select the root one, click “Import” button and give alias name to the certificate. After that the certificate will be imported into current open keystore.

The selected certificate should appear in the keystore list.

Last step, save the keystore and restart Eclipse. It solved my login problem.

Summary

Hopefully this blog helps someone who is encountering same problem like me and probably learn something that hasn’t seen before. Cheers.