1. SSLException : PKIX Path Exception

Trace :

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
..
..
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Workaround : Follow the steps for Generating the self-signed certificate to connect to secured server                                                                                     

Validation : If the issue is persistent even  after performing the steps, please open the jssecacert file (default password : changeit) in keystore explorer tool, and check for an entry for the hostname for which gencert procedure was done. If th entry is there alright, please check if the certificate fingerprint is same as that of the one seen while inspecting certificate of that host in browser.

2. SSLException : No Subject Alternative DNS matching Exception

Trace :

  javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching xxxx-xxx.com found.

Workaround : Customer should access the target application server as  xxxx-xxx.com or add "xxxx-xxx.com" to either Subject or Subject Alternative Name attribute of the SSL certificate and reimport the the certificate it into SDP from Admin > Import SSL Certificate. Refer to this KB article for generating keystore with SAN switch.

Note : If the SDP/AE application url is the target url and customer is using the default self-signed certificate for our application, follow Generating Self-Signed certificate with desired alias name. For example, in custom function scripts we may encounter the above issue while invoking our application's API, here we have to either change the url used for invoking or update SDP/AE application's certificate.                                                

Validation : Check by opening the certificate/accessing in browser for inspecting the Subject Alternative Name extension present in Certificate Details. Please check the url used in the browser and the url used in the hostname in order to ensure if the hostname used for accessing the url is compliant with the value present in Subject Alternative Name. It may contain wildcard values like *.example.com in which case, any hostname ending with example.com is compliant.

3. Generating SSL .keystore file example

This use case is commonly needed for customers using default HTTPS option which generates the certificate with machine name as subject. Alternatively, a certificate can be generated by following the below steps -

1. Ensure server is running in HTTPS mode (else change to HTTPS mode)

2. Open the console from <SDP_HOME>/jre/bin

3. Run the below command -

keytool.exe -genkey -alias asc -keyalg RSA -keypass sdpsecured -keystore sdp.keystore -storepass sdpsecured -dname  "CN=<alias_name>,OU=ServiceDesk Plus, O=Zoho Corporation, L=Pleasanton, S=CA, C=US" -validity 36500  -ext san=dns:"<alias_name>"

4. Cut the generated <SDP_HOME>/jre/bin/sdp.keystore file and replace in conf directory.  

The need to examine could arise for many reasons, like checking the imported SSL certificate due to failures, converting/ extracting the certificate formats or examing truststore file like jsssecacert file. Please check this KB for brief on keystore explorer.

Trace :

[09:57:40:317]|[02-28-2024]|[SYSERR]|[INFO]|[454]: java.net.ConnectException: Connection timed out: connect|
....
[09:57:40:317]|[02-28-2024]|[SYSERR]|[INFO]|[454]: at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)|
[09:57:40:317]|[02-28-2024]|[SYSERR]|[INFO]|[454]: at java.net.Socket.connect(Socket.java:613)|
[09:57:40:317]|[02-28-2024]|[SYSERR]|[INFO]|[454]:     at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:293)|

Following needs to be checked,

1. Find the url for which the connection timeout is happening.
   
2. Whether the url is accessible from the application server in browser ?
   
3. Is there any proxy-settings configured in his environment?
   

From the response  following course of action can be checked in order to resolve the issue,

1. If proxy is present and the url is accessible in browser of application server, we can ask him to configure the same proxy in Admin> Proxy settings.
   
2. If no proxy is present and url is not reachable, we can ask the customer to check with their network team regarding whitelisting of this url, so that it is accessible.