The Azure API ETL fails with certificate validation error

When you run the Azure API ETL in a TLS-enabled environment, the ETL fails and displays the following error:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Resolution

BMC uses the cotruststore.ts custom keystore for environments where TLS is enabled.  To resolve this issue, you need to copy the certificates from the cacerts keystore to the cotruststore keystore.

Complete the following steps on the computer where the Generic scheduler or ETL engine or the Remote ETL engine is running to copy the certificates. 

  1. Log on to the computer where the Generic scheduler or the ETL engine or the Remote ETL engine is running. 
  2. Export the JRE_HOME environment variable:
    export JRE_HOME=$BCO_HOME/jre
  3. Export the PATH environment variable:
    export PATH=$JRE_HOME/bin:$PATH
  4. Change the directory to the BCO_HOME/secure directory:
    cd $BCO_HOME/secure
  5. Copy the cotruststore truststore:
    cp cotruststore.ts cotruststore.ts_original
  6. Open the keytool utility and run this command to copy the CA-trusted certificates. The keytool utility that is used to import the certificates is present in the <Server Installation Directory>/jre/bin directory.
    keytool -importkeystore -srckeystore $BCO_HOME/jre/lib/security/cacerts -srcstorepass changeit -destkeystore $BCO_HOME/secure/cotruststore.ts -deststorepass changeit

Related topic

Microsoft-Azure-Azure-API-Extractor

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*