Reconciliation is failing on Azure service in ISIM with certification issue

Question

Reconciliation is failing on Azure service in ISIM with certification issue

Jenny Augusthy 1

Reconciliation requests are getting failed in ISIM with below message:
Failed to create token for connection. Azure message: 'com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error'; AzureSearchUser

We need your assistance in figuring out what signer certificate(s) we need to import.
The DigiCert Global Root CA Certificate has been configured in our keystores.
161917-fireshot-capture-001-ssl-server-test-kyncomlthusgh.pdf

SadiqhAhmed-MSFT 49,331 Reputation points Microsoft Employee Moderator

2022-01-10T10:24:50.133+00:00

@Jenny Augusthy What specific Azure service are you using?
Could you please provide more details about your requirement or the task you are trying to perform?
Jenny Augusthy 1 Reputation point

2022-01-10T11:08:08.3+00:00

Hi Sadiq,

To connect to Azure target we have created service in ISIM(IBM security identity manager) and test connection to Azure target shows successful. We are trying to run reconciliation on the same service but it gives the below certification exception:
Failed to create token for connection. Azure message: 'com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error'; AzureSearchUser
SadiqhAhmed-MSFT 49,331 Reputation points Microsoft Employee Moderator

2022-01-10T11:26:19.857+00:00

What are you trying to accomplish with ISIM(IBM security identity manager) and test connection to Azure target?
Jenny Augusthy 1 Reputation point

2022-01-10T11:32:34.327+00:00

Hi Sadiq,

We are trying to connect to Azure target via reconciliation trying to bring the user's present in Azure to ISIM(IBM security identity manager)

1 answer

Your answer

SadiqhAhmed-MSFT 49,331 Reputation points Microsoft Employee Moderator

2022-01-10T10:24:50.133+00:00

@Jenny Augusthy What specific Azure service are you using?
Could you please provide more details about your requirement or the task you are trying to perform?
Jenny Augusthy 1 Reputation point

2022-01-10T11:08:08.3+00:00

Hi Sadiq,

To connect to Azure target we have created service in ISIM(IBM security identity manager) and test connection to Azure target shows successful. We are trying to run reconciliation on the same service but it gives the below certification exception:
Failed to create token for connection. Azure message: 'com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error'; AzureSearchUser
SadiqhAhmed-MSFT 49,331 Reputation points Microsoft Employee Moderator

2022-01-10T11:26:19.857+00:00

What are you trying to accomplish with ISIM(IBM security identity manager) and test connection to Azure target?
Jenny Augusthy 1 Reputation point

2022-01-10T11:32:34.327+00:00

Hi Sadiq,

We are trying to connect to Azure target via reconciliation trying to bring the user's present in Azure to ISIM(IBM security identity manager)

Answer 1

@Jenny Augusthy
Thank you for your post!

Based off your issue, I reached out to my team for inputs, and since you're using the ISIM service on Azure we'd recommend reaching out to the IBM Security Community regarding this, so their experts can look into your issue as well.

Error Message:

The certificate issued .... is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error'

From the error message, it looks like your certificate isn't trusted. A 'certificate chaining error' occurs when the provided chain of certificates cannot be validated.

Troubleshooting steps:

For more info - Certificate chaining errors in an HTTPRequest node

1) Verify that your truststore contains the proper 'signer certificate' for the certificate chain provided by the backend webservice.

Note - If the proper signer certificate(s) exist in the truststore, then the handshake should complete. If not, you should confirm that all required certificates are present in the keystore of the webservice that WMB/IIB is communicating with. You may need to recreate the keystore with 'keytool' using the "genkey" option and re-import your application certificates if you are missing any components of the certificate chain.

Additional Links:

JSSE tracing for SSL issues on the HTTPRequest node
Setting up a public key infrastructure
Configuring HTTP nodes to use SSL (HTTPS)
Configuring SOAP nodes to use SSL (HTTPS)

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Jenny Augusthy 1 Reputation point

2022-01-11T05:18:54.687+00:00

Hi James,

Thanks for your input. I will check with IBM support team again and keep you posted.

Share via

Reconciliation is failing on Azure service in ISIM with certification issue

1 answer

Your answer