Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.

Mutual SSL - AEM 6.2

Avatar

Level 2

Hi,

We are trying to set up mutual SSL between our AEM render instances and dispatchers. We have made the configuration changes as per Adobe documentation ( https://docs.adobe.com/docs/en/dispatcher/disp-ssl.html#par_title_2 for mutual SSL and https://docs.adobe.com/docs/en/aem/6-2/deploy/configuring/config-ssl.html for enabling https for AEM consoles ).

The problem we are facing is when trying to run replication agents on secure port , getting the following error which suggests the certificate chain is incomplete ( from what I can see in other forums ). But we do have the root and intermediate certs installed in our keystore. 

30.11.2016 11:50:17 - Error while sending request: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

30.11.2016 11:50:17 - Replication (TEST) of /content not successful: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Conversation follows

Could someone please advise what might be wrong and how to get replication agent working on https port. 

6 Replies

Avatar

Level 10

I sent this question to our AEM experts - they feel that you should open a ticket for this as support will need to investigate this. Please open a ticket. 

Avatar

Level 2

Thanks smacdonald2008 .We do have a ticket open with adobe. There is a delay in getting response from them though , so thought someone here might have seen this or worked on similar issue. Will update the details from the ticket here once we get a resolution.

Avatar

Level 1

Hi guys, 

Any news regarding this?

From what I've read it seems that somehow the given truststore doesn't recognize the end server as a valid endpoint. I've confirmed that my truststore contains the end server .crt and I'm able to connect to it via openssl.

Any ideas?

Thanks!

Diogo

Avatar

Level 1

Hi Diogo,

It sounds like you are acting as your own CA. There are a few extra steps to configure SSL for AEM in this case.

Please make sure you have set the trustStore as part of CQ_JVM_OPTS in crx-quickstart/bin/start:

-Djavax.net.ssl.trustStore=/path/to/truststore

You will need to restart AEM to apply this change. If your Dispatcher Flush agents are on Publishers and using SSL you will need to do this on Publishers also. This is the most likely resolution for the "unable to find valid certification path" issue.

Next (or if not using your own CA), validate that you are using the correct user for replication in the agent settings, and that on the Publisher(s), this specific user has Author's certificate associated: Installing the Author Certificate (on Publisher) Note if the user being used for replication changes, this certificate must be updated also.

If the JVM was already started up with the trustStore set, please make sure the keytool -import was done correctly for the CA certificate chain, and aliases are correct

1) The alias of each certification should match the key - check with: keytool -printcert -v -file certificate.file

2) The order for the import must be root certificate, CA intermediate, then the signed certificate

More info: Adding the CA Certificate to the Trust Store (and telling the JVM to trust your CA cert)

The JVM option is only listed for Publishers in the Dispatcher SSL documentation but it is needed on Author also in order to configure SSL Replication.

If all of that is already correct, double-check in CRX/DE Lite that the org.apache.felix.http node under both /apps/system/config.author/ and /apps/system/config.publish/ has jcr:primaryType sling:OsgiConfig (not nt:file) and verify all of those values are correct. Re-enter the keystore and truststore passwords and Save All. Verify in the replication agent settings that SSL is set to "Default" or "Relaxed" on the Transport tab.

Unfortunately if these steps do not help it is best to start over from the beginning of the SSL configuration steps and use keytool each step to verify things.

Please update if these steps help to resolve the issue.

Thank you,

Peter

Avatar

Level 2

Hi Diogo,

Our issue was resolved when we configured the replication agent user correctly as in installed the key and the publisher certificate on author and vice versa.

I had missed out to do this initially.

Here is the adobe documentation for your reference.

https://docs.adobe.com/docs/en/aem/6-2/deploy/configuring/replication/mssl-replication.html

Avatar

Level 1

Hi all,

Thanks for your answers @Shab ravi and @peter.stolmar!

There was a missing certificate in my truststore that wasn't allowing full certificate chain validation. I've added it and it works perfectly now!

Thanks!

Cheers,

Diogo