Pentaho

The error message:

IO Error: IO Error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, connect lapse 113 ms., Authentication lapse 0 ms.

Connection type: Oracle
Access: JNDI

Options:

javax.net.ssl.trustStore=C:/Users/Administrator/Desktop/tools/data-integration/clientkeystore.jks

oracle.jdbc.J2EE13Compliant=true

javax.net.ssl.trustStorePassword=changeit

javax.net.ssl.trustStoreType=JKS

jdbs.properties

AWS_HKDA_DEV/type=javax.sql.DataSource
AWS_HKDA_DEV/driver=oracle.jdbc.driver.OracleDriver
AWS_HKDA_DEV/url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=devrds.*****.sgfilcld)(PORT=11701))(CONNECT_DATA=(SERVICE_NAME=ORACLE)))
AWS_HKDA_DEV/user=******
AWS_HKDA_DEV/password=*******

And the jdbc is ojdbs8.jar

And  imported the rds key with this:
keytool -import -alias rds-ap -keystore ******

Test the key should ok

keytool -list -v -keystore clientkeystore.jks -storepass "changeit"

Who can help to handle this issue or give me some advices?

Thank inadvanced

Tony

@Tony lang,

Just in case the problem is elsewhere try setting the trustServerCertificate to true in your JNDI and remove the other SSL certificate related options:

trustServerCertificate=true

This will trust server's certificate and do not check anything else. Check if this works

You can also:

• Check with the same options using another SQL java based client like http://www.squirrelsql.org/ and test your options.
• Check with the same options but using the PDI GUI instead

Hope it helps to pinpoint the problem

Best regards

The error message:

IO Error: IO Error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, connect lapse 113 ms., Authentication lapse 0 ms.

Connection type: Oracle
Access: JNDI

Options:

javax.net.ssl.trustStore=C:/Users/Administrator/Desktop/tools/data-integration/clientkeystore.jks

oracle.jdbc.J2EE13Compliant=true

javax.net.ssl.trustStorePassword=changeit

javax.net.ssl.trustStoreType=JKS

jdbs.properties

AWS_HKDA_DEV/type=javax.sql.DataSource
AWS_HKDA_DEV/driver=oracle.jdbc.driver.OracleDriver
AWS_HKDA_DEV/url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=devrds.*****.sgfilcld)(PORT=11701))(CONNECT_DATA=(SERVICE_NAME=ORACLE)))
AWS_HKDA_DEV/user=******
AWS_HKDA_DEV/password=*******

And the jdbc is ojdbs8.jar

And  imported the rds key with this:
keytool -import -alias rds-ap -keystore ******

Test the key should ok

keytool -list -v -keystore clientkeystore.jks -storepass "changeit"

Who can help to handle this issue or give me some advices?

Thank inadvanced

Tony

@Tony lang,

Just in case the problem is elsewhere try setting the trustServerCertificate to true in your JNDI and remove the other SSL certificate related options:

trustServerCertificate=true

This will trust server's certificate and do not check anything else. Check if this works

You can also:

• Check with the same options using another SQL java based client like http://www.squirrelsql.org/ and test your options.
• Check with the same options but using the PDI GUI instead

Hope it helps to pinpoint the problem

Best regards

------------------------------
Juan Sierra Pons
Systems Engineer
Juan Sierra Pons

Original Message:
Sent: 02-16-2023 20:49
From: Tony lang
Subject: IO Error when PDI 9.4 connect AWS RDS Oracle 19C

The error message:

IO Error: IO Error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, connect lapse 113 ms., Authentication lapse 0 ms.

Connection type: Oracle
Access: JNDI

Options:

javax.net.ssl.trustStore=C:/Users/Administrator/Desktop/tools/data-integration/clientkeystore.jks

oracle.jdbc.J2EE13Compliant=true

javax.net.ssl.trustStorePassword=changeit

javax.net.ssl.trustStoreType=JKS

jdbs.properties

AWS_HKDA_DEV/type=javax.sql.DataSource
AWS_HKDA_DEV/driver=oracle.jdbc.driver.OracleDriver
AWS_HKDA_DEV/url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=devrds.*****.sgfilcld)(PORT=11701))(CONNECT_DATA=(SERVICE_NAME=ORACLE)))
AWS_HKDA_DEV/user=******
AWS_HKDA_DEV/password=*******

And the jdbc is ojdbs8.jar

And  imported the rds key with this:
keytool -import -alias rds-ap -keystore ******

Test the key should ok

keytool -list -v -keystore clientkeystore.jks -storepass "changeit"

Who can help to handle this issue or give me some advices?

Thank inadvanced

Tony

Thanks Juan

My options is here:

But Got the same error:
IO Error: IO Error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, Authentication lapse 0 ms.

Is the format correct? or how to add this option?

Regards

Tony

@Tony lang,

Just in case the problem is elsewhere try setting the trustServerCertificate to true in your JNDI and remove the other SSL certificate related options:

trustServerCertificate=true

This will trust server's certificate and do not check anything else. Check if this works

You can also:

• Check with the same options using another SQL java based client like http://www.squirrelsql.org/ and test your options.
• Check with the same options but using the PDI GUI instead

Hope it helps to pinpoint the problem

Best regards

The error message:

IO Error: IO Error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, connect lapse 113 ms., Authentication lapse 0 ms.

Connection type: Oracle
Access: JNDI

Options:

javax.net.ssl.trustStore=C:/Users/Administrator/Desktop/tools/data-integration/clientkeystore.jks

oracle.jdbc.J2EE13Compliant=true

javax.net.ssl.trustStorePassword=changeit

javax.net.ssl.trustStoreType=JKS

jdbs.properties

AWS_HKDA_DEV/type=javax.sql.DataSource
AWS_HKDA_DEV/driver=oracle.jdbc.driver.OracleDriver
AWS_HKDA_DEV/url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=devrds.*****.sgfilcld)(PORT=11701))(CONNECT_DATA=(SERVICE_NAME=ORACLE)))
AWS_HKDA_DEV/user=******
AWS_HKDA_DEV/password=*******

And the jdbc is ojdbs8.jar

And  imported the rds key with this:
keytool -import -alias rds-ap -keystore ******

Test the key should ok

keytool -list -v -keystore clientkeystore.jks -storepass "changeit"

Who can help to handle this issue or give me some advices?

Thank inadvanced

Tony

Hi Tony,

properties javax.net.ssl.trustStore,javax.net.ssl.trustStorePassword,javax.net.ssl.trustStoreType MUST BE set as system property, you can set environment property PENTAHO_DI_JAVA_OPTIONS or modify Spoon.bat file, for ex. PENTAHO_DI_JAVA_OPTIONS=-Djavax.net.ssl.trustStore=C:/Users/Administrator/Desktop/tools/data-integration/clientkeystore.jks.

If trust store has password changeit (it's default in JVM), so property javax.net.ssl.trustStorePassword is not required, store type is same (default is JKS), so property javax.net.ssl.trustStoreType is not required.

Property oracle.jdbc.J2EE13Compliant is system property too, I found this on Oracle site.

This is configuration for trust store of JVM, this is used for verifying of server side.

File has name clientkeystore.jks, so I expect that there is stored client private key/certificate. And this is used for verifying client on server.

Thanks Juan

My options is here:

But Got the same error:
IO Error: IO Error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, Authentication lapse 0 ms.

Is the format correct? or how to add this option?

Regards

Tony

@Tony lang,

Just in case the problem is elsewhere try setting the trustServerCertificate to true in your JNDI and remove the other SSL certificate related options:

trustServerCertificate=true

This will trust server's certificate and do not check anything else. Check if this works

You can also:

• Check with the same options using another SQL java based client like http://www.squirrelsql.org/ and test your options.
• Check with the same options but using the PDI GUI instead

Hope it helps to pinpoint the problem

Best regards

The error message:

IO Error: IO Error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, connect lapse 113 ms., Authentication lapse 0 ms.

Connection type: Oracle
Access: JNDI

Options:

javax.net.ssl.trustStore=C:/Users/Administrator/Desktop/tools/data-integration/clientkeystore.jks

oracle.jdbc.J2EE13Compliant=true

javax.net.ssl.trustStorePassword=changeit

javax.net.ssl.trustStoreType=JKS

jdbs.properties

AWS_HKDA_DEV/type=javax.sql.DataSource
AWS_HKDA_DEV/driver=oracle.jdbc.driver.OracleDriver
AWS_HKDA_DEV/url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=devrds.*****.sgfilcld)(PORT=11701))(CONNECT_DATA=(SERVICE_NAME=ORACLE)))
AWS_HKDA_DEV/user=******
AWS_HKDA_DEV/password=*******

And the jdbc is ojdbs8.jar

And  imported the rds key with this:
keytool -import -alias rds-ap -keystore ******

Test the key should ok

keytool -list -v -keystore clientkeystore.jks -storepass "changeit"

Who can help to handle this issue or give me some advices?

Thank inadvanced

Tony

Hi Tony,

properties javax.net.ssl.trustStore,javax.net.ssl.trustStorePassword,javax.net.ssl.trustStoreType MUST BE set as system property, you can set environment property PENTAHO_DI_JAVA_OPTIONS or modify Spoon.bat file, for ex. PENTAHO_DI_JAVA_OPTIONS=-Djavax.net.ssl.trustStore=C:/Users/Administrator/Desktop/tools/data-integration/clientkeystore.jks.

If trust store has password changeit (it's default in JVM), so property javax.net.ssl.trustStorePassword is not required, store type is same (default is JKS), so property javax.net.ssl.trustStoreType is not required.

Property oracle.jdbc.J2EE13Compliant is system property too, I found this on Oracle site.

This is configuration for trust store of JVM, this is used for verifying of server side.

File has name clientkeystore.jks, so I expect that there is stored client private key/certificate. And this is used for verifying client on server.

Thanks Juan

My options is here:

But Got the same error:
IO Error: IO Error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, Authentication lapse 0 ms.

Is the format correct? or how to add this option?

Regards

Tony

@Tony lang,

Just in case the problem is elsewhere try setting the trustServerCertificate to true in your JNDI and remove the other SSL certificate related options:

trustServerCertificate=true

This will trust server's certificate and do not check anything else. Check if this works

You can also:

• Check with the same options using another SQL java based client like http://www.squirrelsql.org/ and test your options.
• Check with the same options but using the PDI GUI instead

Hope it helps to pinpoint the problem

Best regards

The error message:

IO Error: IO Error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, connect lapse 113 ms., Authentication lapse 0 ms.

Connection type: Oracle
Access: JNDI

Options:

javax.net.ssl.trustStore=C:/Users/Administrator/Desktop/tools/data-integration/clientkeystore.jks

oracle.jdbc.J2EE13Compliant=true

javax.net.ssl.trustStorePassword=changeit

javax.net.ssl.trustStoreType=JKS

jdbs.properties

AWS_HKDA_DEV/type=javax.sql.DataSource
AWS_HKDA_DEV/driver=oracle.jdbc.driver.OracleDriver
AWS_HKDA_DEV/url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=devrds.*****.sgfilcld)(PORT=11701))(CONNECT_DATA=(SERVICE_NAME=ORACLE)))
AWS_HKDA_DEV/user=******
AWS_HKDA_DEV/password=*******

And the jdbc is ojdbs8.jar

And  imported the rds key with this:
keytool -import -alias rds-ap -keystore ******

Test the key should ok

keytool -list -v -keystore clientkeystore.jks -storepass "changeit"

Who can help to handle this issue or give me some advices?

Thank inadvanced

Tony

Thanks，Petr

I got the same error, is there any issue for my code?

if "%PENTAHO_DI_JAVA_OPTIONS%"=="" set PENTAHO_DI_JAVA_OPTIONS="-Xms1024m" "-Xmx2048m"
set PENTAHO_DI_JAVA_OPTIONS="-Djavax.net.ssl.trustStore=C:/Users/Administrator/Desktop/tools/data-integration/clientkeystore.jks" %PENTAHO_DI_JAVA_OPTIONS%

set OPT=%OPT% %PENTAHO_DI_JAVA_OPTIONS% "-Djava.library.path=%LIBSPATH%;%HADOOP_HOME%/bin" %JAVA_ENDORSED_DIRS% %JAVA_LOCALE_COMPAT% "-DKETTLE_HOME=%KETTLE_HOME%" "-DKETTLE_REPOSITORY=%KETTLE_REPOSITORY%" "-DKETTLE_USER=%KETTLE_USER%" "-DKETTLE_PASSWORD=%KETTLE_PASSWORD%" "-DKETTLE_PLUGIN_PACKAGES=%KETTLE_PLUGIN_PACKAGES%" "-DKETTLE_LOG_SIZE_LIMIT=%KETTLE_LOG_SIZE_LIMIT%" "-DKETTLE_JNDI_ROOT=%KETTLE_JNDI_ROOT%"

I can start the PDI, but it seem no fixed.

Thanks

Tony

Hi Tony,

properties javax.net.ssl.trustStore,javax.net.ssl.trustStorePassword,javax.net.ssl.trustStoreType MUST BE set as system property, you can set environment property PENTAHO_DI_JAVA_OPTIONS or modify Spoon.bat file, for ex. PENTAHO_DI_JAVA_OPTIONS=-Djavax.net.ssl.trustStore=C:/Users/Administrator/Desktop/tools/data-integration/clientkeystore.jks.

If trust store has password changeit (it's default in JVM), so property javax.net.ssl.trustStorePassword is not required, store type is same (default is JKS), so property javax.net.ssl.trustStoreType is not required.

Property oracle.jdbc.J2EE13Compliant is system property too, I found this on Oracle site.

This is configuration for trust store of JVM, this is used for verifying of server side.

File has name clientkeystore.jks, so I expect that there is stored client private key/certificate. And this is used for verifying client on server.

Thanks Juan

My options is here:

But Got the same error:
IO Error: IO Error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, Authentication lapse 0 ms.

Is the format correct? or how to add this option?

Regards

Tony

@Tony lang,

Just in case the problem is elsewhere try setting the trustServerCertificate to true in your JNDI and remove the other SSL certificate related options:

trustServerCertificate=true

This will trust server's certificate and do not check anything else. Check if this works

You can also:

• Check with the same options using another SQL java based client like http://www.squirrelsql.org/ and test your options.
• Check with the same options but using the PDI GUI instead

Hope it helps to pinpoint the problem

Best regards

The error message:

IO Error: IO Error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, connect lapse 113 ms., Authentication lapse 0 ms.

Connection type: Oracle
Access: JNDI

Options:

javax.net.ssl.trustStore=C:/Users/Administrator/Desktop/tools/data-integration/clientkeystore.jks

oracle.jdbc.J2EE13Compliant=true

javax.net.ssl.trustStorePassword=changeit

javax.net.ssl.trustStoreType=JKS

jdbs.properties

AWS_HKDA_DEV/type=javax.sql.DataSource
AWS_HKDA_DEV/driver=oracle.jdbc.driver.OracleDriver
AWS_HKDA_DEV/url=jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=devrds.*****.sgfilcld)(PORT=11701))(CONNECT_DATA=(SERVICE_NAME=ORACLE)))
AWS_HKDA_DEV/user=******
AWS_HKDA_DEV/password=*******

And the jdbc is ojdbs8.jar

And  imported the rds key with this:
keytool -import -alias rds-ap -keystore ******

Test the key should ok

keytool -list -v -keystore clientkeystore.jks -storepass "changeit"

Who can help to handle this issue or give me some advices?

Thank inadvanced

Tony