Code(-9205) Error in vnd.nds.stream - PKIX path building failed

  • 7022364
  • 20-Nov-2017
  • 20-Nov-2017

Environment

Identity Manager 4.5
Identity Manager 4.6

Situation

When a driver has to request a role assignment and access User Application - it'll show the following error in a Level 5 Trace of the driver:

DirXML Log Event
     Message:  Code(-9205) Error in vnd.nds.stream://VAULT/TEST/DRIVERSET/DRIVER/Publisher/POLICY#XmlData:133 : Couldn't request assignment of role: '<Role DN>' to identity: '<User DN>': com.novell.nds.dirxml.soap.UserAppClientException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Resolution

You need to verify that the JRE which IDM Engine uses has the required certificate to connect to User Application.

The typical path for the cacerts for this JRE is located at the following in Linux: /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts. Consider the following steps:
  1. Determine which certificate is being used by UserApplication by checking the certificates located at /opt/netiq/idm/apps/jre/lib/security/cacerts. You can get a list of all the certs with the following command: keytool -list -v -keystore cacerts
  2. From here - if you have access to that same cert, just import it into the IDM Engine cacerts. If you don't have access to it, you can export it from the UserApplication cacerts, and then import it into the IDM Engine cacerts. 
  3. To import, use the following command: keytool -import -alias <newalias> -keystore cacerts -file certificate.der

Once you've setup the IDM Engine cacerts with the certificate used by the UserApplication cacerts, restart eDirectory, and then test the driver again.

Cause

If the User Application certificate expires - often this other step to update the IDM Engine is missed. User Application can start and function properly on it's own if that keystore is updated with new certificates, but if any drivers need to connect to User Application in any way - it uses the keystore that is tied to the IDM Engine rather than UserApplication's separate keystore. This is why when the driver tries to access and retrieve any data, it fails with a certificate error.