Skip to main content
Version: 5.2

Troubleshooting

To troubleshoot the HTTP Attribute Connector, turn on specific log levels. Please refer to the documentation of the component hosting the attribute connector, like ADS, for details.

Common Errors

SSL Trust Establishment

When the PDP uses the HTTP Attribute Connector to communicate with a remote web service via HTTPS (TLS), the Java environment running the PDP needs to trust the target service. To establish trust, the public key for the target service must be installed inside the trust store for the container.

Symptoms

If trust is not established the PDP will return HTTP 500 back to the PEP. The PDP logs will contain a stack trace similar to the one below.

Caused by: java.lang.Throwable: javax.net.ssl.SSLHandshakeException - sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
        ... 41 more
Caused by: java.lang.Throwable: sun.security.validator.ValidatorException - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
        ... 69 more

Solution

  1. Request the public certificate for the remote service from its administrator or fetch it yourself via the browser. Import it inside your truststore using keytool:

    keytool -importcert -keystore truststore.jks -file *service.cer* -alias pick_an_alias

    In the command above:

    • truststore.jks is the truststore for the container operating the PDP
    • service.cer is the public key of the targeted service
    • pick_an_alias is a truststore-wide unique alias that must be given to the imported key. Any value will do, such as remoteservicepubkey.

  2. Add the following element under the <connection> element.

    <truststore file="truststore.jks" type="JKS" password="changeit"></truststore>

  3. Restart your container once the public key has been imported.

    note

    Not all containers require a restart.