Workflow Error

Hello All,

I am working on 2 level resource request approval Workflow, when i request for resource from user application, Start of workflow fails and i was able to see resource request status as : Pending Approval: Pending Approval Retry in user application.

I couldn't find any start status of workflow in the logs, When i looked at logs of Roles and resource driver i am able to see the below error.

DirXML Log Event -------------------
Driver: \IDV\system\driverset1\Role and Resource Service Driver
Channel: Subscriber
Status: Error
Message: Unable to start Approval Workflow
Workflow DN: cn=AccountWF,cn=RequestDefs,cn=AppConfig,cn=UserApplication,cn=driverset1,o=system
Reason: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Note: This error is coming only for this workflow, for the rest it was not showing any error and all the trusted root certificates are placed correctly.

Can someone suggest me how to fix this issue.


Regards,
Eswar.
  • ed00491298;2463783 wrote:


    DirXML Log Event -------------------
    Driver: \IDV\system\driverset1\Role and Resource Service Driver
    Channel: Subscriber
    Status: Error
    Message: Unable to start Approval Workflow
    Workflow DN: cn=AccountWF,cn=RequestDefs,cn=AppConfig,cn=UserApplication,cn=driverset1,o=system
    Reason: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

    Note: This error is coming only for this workflow, for the rest it was not showing any error and all the trusted root certificates are placed correctly.


    Dear Eswar,

    Did we recently imported https/ssl certificate for Identity Applications, or upgraded to https from http? Kindly ensure those application/server certificates are in place (keystore to check #/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts).

    Also kindly refer another forum thread which had similar issue and got it working #https://forums.novell.com/showthread.php/504485-Unable-to-start-Approval-Workflow-SSLHandshakeException?p=2461767#post2461767
  • Hi Siva,

    Thank you for the quick response.

    All the application/server certificates are in place and other workflows are working as expected and there are no errors.

    Why it shows the error only for the workflow which i am working on.

    If any of the certificates are missing it should show the same error for remaining workflows as well but didn't.

    Br,
    Eswar.
  • ed00491298;2463803 wrote:


    All the application/server certificates are in place and other workflows are working as expected and there are no errors.

    Why it shows the error only for the workflow which i am working on.

    If any of the certificates are missing it should show the same error for remaining workflows as well but didn't.


    Dear Eswar,

    Strange, from your error trace could infer there is 'SSLHandshakeException', so have suggested to double-check your server/apps SSL certificates from keystore path.

    Curious to know, does suspected workflow contains any approvers (which is diff from other workflows)?
  • Hi,

    It doesn't have any special approvers, it has user's manager as first approver and hard coded user email id as 2nd approver.

    can that approvers be the reason?
  • On 8/9/2017 5:44 AM, ed00491298 wrote:
    >
    > Hello All,
    >
    > I am working on 2 level resource request approval Workflow, when i
    > request for resource from user application, Start of workflow fails and
    > i was able to see resource request status as : Pending Approval: Pending
    > Approval Retry in user application.
    >
    > I couldn't find any start status of workflow in the logs, When i looked
    > at logs of Roles and resource driver i am able to see the below error.
    >
    > DirXML Log Event -------------------
    > Driver: \IDV\system\driverset1\Role and Resource Service Driver
    > Channel: Subscriber
    > Status: Error
    > Message: Unable to start Approval Workflow
    > Workflow DN:
    > cn=AccountWF,cn=RequestDefs,cn=AppConfig,cn=UserApplication,cn=driverset1,o=system
    > Reason: java.lang.RuntimeException:
    > javax.net.ssl.SSLHandshakeException:
    > sun.security.validator.ValidatorException: PKIX path building failed:
    > sun.security.provider.certpath.SunCertPathBuilderException: unable to
    > find valid certification path to requested target.
    >
    > Note: This error is coming only for this workflow, for the rest it was
    > not showing any error and all the trusted root certificates are placed
    > correctly.


    The IDM Server running this driver (Please do this fix on all your idm
    servers just in case as well) has a JVM in:
    /opt/novell/eDirectory/lib64/nds-modules/jvm

    and its cacerts file, in the lib/security directory, is missing the
    public key of the CA that signed the SSL cert of the UA server.

    I.e. Go to your UA in say Firefox,, click on the lock, ask to see the
    security details and the cert, see the certification chain and export
    the parent certificates to your SSL cert.

    Then import those into the engine servers cacerts file.

    A command like this would work, once you have the cert files exported
    via your browser (and copied to the IDM server).

    /opt/novell/eDirectory/lib64/nds-modules/jvm/bin/keytool -keystore
    /opt/novell/eDirectory/lib64/nds-modules/jvm/lib/security/cacerts
    -storepass changeit -trustcacerts -import -alias UA-Parent-CA -file
    /path/to/cert/file

    Then restart the eDir on the IDM server. (IT MIGHT work without a
    restart, so try it but then if not, restart IDM).

    If there is an intermediate cert (I.e. Couple of certs above your UA
    cert) make sure to import that as well. (Change the -alias name for the
    second one).

    If you are using OSP you need the OSP signing CA's public key as well.
    (You could look at this cert you need as the Tomcat certs signing CA, it
    is the same thing as the UA cert, if running in Tomcat).


  • Dear Eswar,

    In my view, yes. as part of Workflow would trigger request to Approver(user's manager here).

    1) Does it work, if you've imported right certificates in keystore path.

    2) Hope this would work if you manually remove first and second approvers here(just for double-check).

    3) How about other working workflows in our environment(doesn't contain any approvers.
  • On 8/9/2017 9:04 AM, ed00491298 wrote:
    >
    > Hi Siva,
    >
    > Thank you for the quick response.
    >
    > All the application/server certificates are in place and other workflows
    > are working as expected and there are no errors.
    >
    > Why it shows the error only for the workflow which i am working on.
    >
    > If any of the certificates are missing it should show the same error for
    > remaining workflows as well but didn't.


    If that is the case, could you please show trace of the
    Do-Start-Workflow call for a working example and a not working example.
    (I would ask that you obfuscate the URL but in fact, that is what I want
    to see, is the URL, so if you do change it, please do it as a search and
    replace to acme.com so that it shows any difference in URL).

  • Hi Siva,

    Thank you for the Response.

    I went and double checked the Certificates in the Keystore and found the required certificates were missing.

    Import the required certificates and restarted the edirectory, it started working without any errors.

    Thank you so much :)

    Br,
    Eswar.
  • Hi geoff,

    Thank you for the reply.

    Checked and found the required certificates were missing in the Keystore

    Import the required certificates and restarted the edirectory, it started working without any errors.


    Br,
    Eswar.
  • ed00491298;2463885 wrote:

    Thank you for the Response.

    I went and double checked the Certificates in the Keystore and found the required certificates were missing.

    Import the required certificates and restarted the edirectory, it started working without any errors.



    Glad and Thank you Eswar for your double-confirmation on this. I hope, this information could be added/updated in our Documentation section - we'd take care of the same for other customers.[Had sent note to my appropriate team on this request]