Getting a "SunCertPathBuilderException: unable to find valid certification path to requested target" message when attempting to initiate a file transfer or during connection profile validation using Control-M File Transfer client - INCLUDES VIDEO

Knowledge Article

Getting a "SunCertPathBuilderException: unable to find valid certification path to requested target" message when attempting to initiate a file transfer or during connection profile validation using Control-M File Transfer client - INCLUDES VIDEO
Control-M Managed File Transfer
Control-M/CM for Advanced File Transfer
Control-M Managed File Transfer 9.0.00
Control-M for Advanced File Transfer 8.2.00

NOTE: for Control-M for Advanced File Transfer version 8.0 or lower, refer to article: 000303102

NOTE: for Control-M for Advanced File Transfer version 9.0.21 or higher, refer to article 000378358 

When validating a Control-M File Transfer connection profile that connects to an FTP server over SSL/TLS, getting the following message:
 

Validation failed  
Failed to validate FTPSSLtest account

Host 1 validation failed:
Can't connect to host: ftp-ssl-lab , Error:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


 
Control-M File Transfer client was unable to verify the authenticity of the certificate that the FTP server sent it

The following video demonstrates this solution:



1. Obtain the public CA certificate of the certificate authority (CA) that issues the ftp server's certificate. This file must be in base64 encoded .cer format (PEM format).

2. Open a terminal or command prompt window on the Control-M/Agent machine

3. Change directory to:
  Windows:  <Control-M/Agent>\CM\AFT\data\SSL\cert\
  UNIX/Linux:  ~/ctm/cm/AFT/data/SSL/cert/

4. The Java keytool command can be used to import the CA certificate, using the command:

  Windows:
    ..\..\..\JRE\bin\keytool -keystore aftkeystore.pfx -storetype PKCS12 -storepass password -importcert -file myca.cer -alias myca1 -trustcacerts
  UNIX/Linux:
     ../../../JRE/bin/keytool -keystore aftkeystore.pfx -storetype PKCS12 -storepass password -importcert -file myca.cer -alias myca1 -trustcacerts

Replace myca.cer with the name of the file containing  public CA certificate. The alias, myca1 used here as an example, must be unique unless you are replacing an existing certificate.
 

Additional Information

The Control-M File Transfer client keystore is aftkeystore.pfx and is in PKCS12 format, which means it can be manipulated using standard Java keytool commands

The configuration file ~/cm/AFT/data/ftpssl_config.properties contains parameters that can be used to point to a different keystore, optionally in a different format (for example JKS).

The following command can be used to obtain certificate information from an FTP server that is using SSL or TLS: 
  openssl s_client -showcerts -connect hostname:port -starttls ftp -showcerts

or, if the ftp server is using Implicit SSL (port 990), run: 
  openssl s_client -connect hostname:990 -showcerts
Control-M Managed File Transfer
Control-M/CM for Advanced File Transfer
Control-M Managed File Transfer 9.0.00
Control-M for Advanced File Transfer 8.2.00
Control-M Managed File Transfer
Control-M/CM for Advanced File Transfer
Control-M Managed File Transfer 9.0.00
Control-M for Advanced File Transfer 8.2.00
Attachment(s):