This knowledge article may contain information that does not apply to version 21.05 or later which runs in a container environment. Please refer to
Article Number 000385088 for more information about troubleshooting BMC products in containers.
Download the SSLPoke utiity attached to this article (attached is zip file SSLPoke.zip containing the SSLPoke.java and SSLPoke.class files)
1. Here is an example specifying the path of the java used where cacerts keystore does have certificate.
The results show connection successful indicating certificate(s) valid.
C:\> "C:\Program Files\Java\jre6\bin\java" SSLPoke mymailserver.bmc.com 465
Successfully connected
Alternatively you can specify the ' -Djavax.net.ssl.trustStore' (note uppercase S in 'Store' as it is case sensitive) parameter in java command to specify the location of the keystore file 'cacerts' where certificate is stored.
That should be the path for the java ARS is using.
java -Djavax.net.ssl.trustStore="C:\Program Files\Java\jre6\lib\cacerts" SSLPoke mymailserver.bmc.com 465
Another useful parameter is '-Djavax.net.debug=ssl' which will provide more debug information.
It will give information on the contents in the java keystore, certificate handshake, etc. You will see this in the output.
Below is an example of the syntax using this parameter. You can also specify '-Djavax.net.debug=all' to get more detailed information.
java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore="C:\Program Files\Java\jre6\lib\cacerts" SSLPoke mymailserver.bmc.com 465
2. Here is an example we intentionally do not include the java path in order to pick up the java the OS chooses by default where the cacerts keystore does not have the certificate.
This is to show example of output where connection failed due to certficate is not valid or not found.
...............................................
C:\> java SSLPoke mymailserver server.bmc.com 465
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 15 more
...............................................