Issue: The Identity Manager drivers use Identity Manager engine’s keystore instead of User Application's keystore to access the User Application. If these components use different certificates, drivers report an error message similar to the following when set at Trace level 5:
DirXML Log Event
Message: Code(-9205) Error in vnd.nds.stream://VAULT/TEST/DRIVERSET1/DRIVER1/Publisher/POLICY#XmlData:133 : Couldn't request assignment of role: '<Role DN>' to identity: '<User DN>': com.novell.nds.dirxml.soap.UserAppClientException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Workaround: Verify that the JRE used by the Identity Manager engine has the required certificate to connect to the User Application
Locate cacerts in the Identity Manager engine directory.
For example, /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts on Linux.
Determine the certificate used by the User Application.
Navigate to the User Application keystore.
For example, /opt/netiq/idm/apps/jre/lib/security/cacerts.
List the certificates by running the following command from the command line:
keytool -list -v -keystore cacerts
(Conditional) If you have access to the certificate, import the certificate into Identity Manager engine’s cacerts directory by running the following command:
keytool -import -alias <newalias> -keystore cacerts -file certificate.der
(Conditional) If you do not have access to the certificate, export the certificate from the User Application’s cacerts directory, and then import the certificate into Identity Manager engine’s cacerts directory.
Restart the Identity Vault.