Problem
The loadbalancer runnables are configured for the use of TLS/SSL and a certificate is available. Nevertheless, ARIS Client or ARIS Download Client throws the following Java exceptions:
SEVERE: cannot login
com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLoginException: cannot connect to server myARIS.customer.com. Reason: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLogin.authenticateOnServer(UMCLogin.java:218)
at com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLogin.authenticate(UMCLogin.java:113)
at com.aris.modeling.client.container.serveraccess.AServerContext.getUserToken(AServerContext.java:842)
at com.aris.modeling.client.container.serveraccess.AServerContext.connectBLManager(AServerContext.java:773)
cannot be started using SSL certification.
Reason
Even with valid certificates (that contain the correct ARIS Server and domain name) purchased from a reliable CA, it may occur that the corresponding root certificate is not available in the JRE currently being used. As a consequence, the JRE is unable to validate the certificate and thus considers it as unknown in the same way it does with certificates that were created internally.
Solution
Add the certificate to the certificate store of the JRE in use. This depends on whether users use a locally installed ARIS Client or ARIS Download Client.
Installed ARIS Client
If an ARIS Client is installed locally, the certificate must be placed into the JRE of the installed ARIS Client. The installed ARIS Client uses its own JRE (see <ARIS installation path>client\jre\). You must distribute the certificate to every single machine from which ARIS Client will be started.
ARIS Download Client
If ARIS Download Client is started using an ARIS downloader JAR file but not the Java applet, you can easily roll out an enhanced cacerts file as follows:
To roll out the certificate for ARIS Download Client, open your file browser and navigate to the JRE installation path, for example, c:\Program Files (x86)\java\jre\bin. This directory contains the keytool.exe file.
To update the required certs file located in the <JRE installation path>\lib\security directory, open a Windows command prompt in this directory and run the command:
keytool.exe -importcert -file <pathToCertFile> -alias <certificateAlias> -keystore <ARIS installation path>client\jre\lib\security\cacerts -storepass <keystorePassword>
Replace all <placeholders> with the proper value. Aside from those mentioned above:
<certificateAlias>
This placeholder represents a name you give to your certificate. Name it in a way that you can easily identify your certificate from the selection in the cacerts keystore.
<keystorePassword>
This placeholder represents the password to the cacerts keystore. Do not use a different password as the default value changeit.
Copy the cacerts file, that was changed (<JRE installation path>\lib\security), into this location:
"<ARIS installation path>\server\bin\work\work_abs_<s|m|l>\base\webapps\abs\downloadClient\config
If users start ARIS Download Client using an ARIS downloader JAR file, this cacerts file is downloaded and used.
Users must restart their ARIS Download Client. Sometimes users are required to restart their browsers. This forces Java to re-read the cacerts keystore.
If an error message is thrown like the following, the certificate is signed for the wrong ARIS Server name. In this case, you must provide the correct certificate.
Jul 01, 2018 7:15:08 AM com.idsscheer.utils.logging.ALogger logException
SEVERE: cannot login
com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLoginException:
cannot connect to server myARIS.customer.com. Reason: Certificate
for <myARIS.customer.com> doesn't contain CN or DNS
subjectAlt
at com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLogin.authenticateOnServer(UMCLogin.java:218)
at com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLogin.authenticate(UMCLogin.java:113)
at com.aris.modeling.client.container.serveraccess.AServerContext.getUserToken(AServerContext.java:842)
...