Skip to main content
Version: 5.3

Troubleshooting

To troubleshoot the HTTP Attribute Connector, enable specific log levels. Detailed instructions for doing so can be found in the documentation of the component hosting the attribute connector, such as ADS.

Common errors

SSL Trust Establishment

For the PDP to use the HTTP Attribute Connector to communicate securely with a remote web service via HTTPS (TLS), the Java environment where the PDP runs needs to trust the target service. This trust is established by installing the target service's public key into the container's trust store.

Symptoms

If trust is not established, the PDP will return HTTP 500 back to the PEP. The PDP logs will contain a stack trace similar to the one below.

Caused by: java.lang.Throwable: javax.net.ssl.SSLHandshakeException - sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
        ... 41 more
Caused by: java.lang.Throwable: sun.security.validator.ValidatorException - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
        ... 69 more

Solution

  1. Request the public certificate for the remote service from its administrator or fetch it yourself using the browser.

  2. Import the public certificate into your truststore using the keytool command:

    keytool -importcert -keystore truststore.jks -file *service.cer* -alias pick_an_alias

    In the command above:

    • truststore.jks is the truststore for the container operating the PDP.
    • service.cer is the public key of the targeted service.
    • pick_an_alias is a unique alias within the truststore that must be assigned to the imported key. Any value will suffice, such as remoteservicepubkey.

  3. Add the following element under the <connection> element.

    <truststore file="truststore.jks" type="JKS" password="changeit"></truststore>

  4. Restart your container once the public key has been imported.

    note

    Not all containers require a restart.