Set SSL certificate on Tomcat server Follow

This note is for cases that your Forms/EBS are HTTPS and use certificate that does not exist on the tomcat server.

In that case you will get an error when the ServiceManager would try to open a connection against the Forms/EBS server.

You will see that error in ServiceManager->Log.

You will get the following error in the Log:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

In order to resolve that issue, it would be required to add the certificate to tomcat server for that HTTPS.

How to import certificates

Go to URL in your browser, click on HTTPS certificate chain (little lock symbol next to URL address) to export the certificate

• Click "more info" > "security" > "show certificate" > "details" > "export..".
• Save as .der
• Repeat for any certificates you need to import

If the certificate is .pem you can convert it using:

openssl x509 -in cert.pem -out cert.der -outform DER

On Linux

2. Locate $JAVA_HOME/jre/lib/security/cacerts

3. Import all *.der files into the cacerts file using the following:

   sudo keytool -import -alias mysitestaging -keystore $JAVA_HOME/jre/lib/security/cacerts -file staging.der

4. Repeat #3 for all environments

5. The default keystore password is 'changeit'

6. You can view the change that you made with this command that shows the Certificate fingerprint.

    keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts

7. If this doesn't solve the problem, try adding these java options as arguments to tomcat:

    -Djavax.net.ssl.trustStore="$JAVA_HOME/jre/lib/security/cacerts"

    -Djavax.net.ssl.trustStorePassword=changeit

On Windows

1. Locate the cacerts file:

Find the cacerts file located at %JAVA_HOME%\lib\security\cacerts.

1. Import the .der files into the cacerts file:

   1. Open Command Prompt as Administrator.
   2. Run the following command to import each certificate:
   
   

    

   keytool -import -alias mysitestaging -keystore %JAVA_HOME%\lib\security\cacerts -file staging.der

2. Repeat Step 3 for all environments.

3. Default keystore password:

   • The default password for the keystore is changeit.

4. Verify the import:

   • You can view the changes you made with this command that shows the Certificate fingerprint:
   
   

    

   keytool -list -keystore %JAVA_HOME%\lib\security\cacerts

5. Additional Java options:

   • If this does not solve the problem, try adding these Java options as arguments to Tomcat:
   
   

    

   -Djavax.net.ssl.trustStore="%JAVA_HOME%\lib\security\cacerts" -Djavax.net.ssl.trustStorePassword=changeit