Commander
Commander
280 views

REST Driver Initialization error

Jump to solution

We are using a REST-driver to provisionize user data to our procurement managment system. During the initialization of the driver the connection via OAuth2 failed with the following status message:

[01/05/21 14:33:29.860]:REST-<Provider> ST:REST-<Provider>: RESTSubscriptionShim.init()
[01/05/21 14:33:29.863]:REST-<Provider> ST:REST-<Provier>: Connecting to REST service via OAuth2
[01/05/21 14:33:29.920]:REST-<Provider> ST:SubscriptionShim.init() returned:
[01/05/21 14:33:29.921]:REST-<Provider> ST:
<nds dtdversion="3.5" ndsversion="8.x">
<source>
<product build="20180222_0635" instance="REST-<Provider>" version="1.0.0.2">Identity Manager REST Driver</product>
<contact>NetIQ Corporation.</contact>
</source>
<output>
<status level="fatal" type="app-authentication">javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found</status>
</output>
</nds>

The certificate is situated in an java keystore we mention in the subKeystoireFile parameter and its password in the subKeystorePassoword parameter. We checked the validation of the certificate itself (it is valid until 2029).

What might cause the issue?

Thanks in advance!

Labels (1)
1 Solution

Accepted Solutions
Commander
Commander

Thank you all for your help! The external firm has delivered a second certificate we had to add into the java keystore. The email was sent to the false department so that we did not get the information in time.

The incident is solved by adding the second certificate into the kaystore.

View solution in original post

5 Replies
Vice Admiral
Vice Admiral

As far as I know javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found means that you are missing truststore parameter (subTrustStoreFile), or that truststore does not hold trusted ca cert chain of calling party.

So this is not problem with keystore (used for mutual cert authentication), but truststore (used to verify end point certificate that you are connecting to).

Knowledge Partner Knowledge Partner
Knowledge Partner

Generally I whack away and import the entire chain of certs up to the root (Iintermediates as well) into the cacerts and the specified keystores (all of them). I get chastisted by Steve at tiimes for it, but it is much easier than fiddling with this here, that there.

Admiral
Admiral

Is there any other way to do it ? 🤔

0 Likes
Commander
Commander

Thank you all for your help! The external firm has delivered a second certificate we had to add into the java keystore. The email was sent to the false department so that we did not get the information in time.

The incident is solved by adding the second certificate into the kaystore.

View solution in original post

Knowledge Partner Knowledge Partner
Knowledge Partner

To summarize: The key is to get the entire certificate chain into the keystore.  When you are missing an intermediate cert you get this error. 

All your keys are belong to base, or somesuch.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.