Problem
The loadbalancer runnables are configured for the use of SSL and a SSL certificate is available. Nevertheless, ARIS Client or ARIS Download Client throws the following Java exceptions:
SEVERE: cannot login
com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLoginException: cannot connect to server myARIS.customer.com. Reason: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLogin.authenticateOnServer(UMCLogin.java:218)
at com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLogin.authenticate(UMCLogin.java:113)
at com.aris.modeling.client.container.serveraccess.AServerContext.getUserToken(AServerContext.java:842)
at com.aris.modeling.client.container.serveraccess.AServerContext.connectBLManager(AServerContext.java:773)
cannot be started using SSL certification.
Reason
Even with valid certificates (that contain the correct ARIS Server and domain name) purchased from a reliable CA, it may occur that the corresponding root certificate is not available in the JRE currently being used. As a consequence, the JRE is unable to validate the certificate and thus considers it as unknown in the same way it does with certificates that were created internally.
Solution
Add the certificate to the certificate store of the JRE in use. This depends on whether users use a locally installed ARIS Client or ARIS Download Client.
Installed ARIS Client
If an ARIS Clientis installed locally, the certificate must be placed into the JRE of the installed ARIS Client. The installed ARIS Client uses its own JRE (see <ARIS installation path>client\jre\). You must distribute the certificate to every single machine from which ARIS Client will be started.
ARIS Download Client
If ARIS Download Client is started using an ARIS downloader JAR file but not the Java applet, you can easily roll out an enhanced cacerts file. Just place it into the JRE installation path on the machine were the ARIS Server is installed.
keytool.exe -importcert -file <pathToCertFile> -alias <certificateAlias> -keystore <ARIS installation path>client\jre\lib\security\cacerts -storepass <keystorePassword>
Replace all <placeholders> with the proper value. Aside from those mentioned above:
This placeholder represents a name you give to your certificate. Name it in a way that you can easily identify your certificate from the selection in the cacerts keystore.
This placeholder represents the password to the cacerts keystore. Do not use a different password as the default value changeit.
"<ARIS installation path>\server\bin\work\work_abs_<s|m|l>\base\webapps\abs\downloadClient\config
If users start ARIS Download Client using an ARIS downloader JAR file, this cacerts file is downloaded and used.
Users must restart theirARIS_download_client>. Sometimes users are required to restart their browsers. This forces Java to re-read the cacerts keystore.
If an error message is thrown like the following, the certificate is signed for the wrong ARIS Server name. In this case, you must provide the correct certificate.
Jul 01, 2018 7:15:08 AM com.idsscheer.utils.logging.ALogger logException
SEVERE: cannot login
com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLoginException:
cannot connect to server myARIS.customer.com. Reason: Certificate
for <myARIS.customer.com> doesn't contain CN or DNS
subjectAlt
at com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLogin.authenticateOnServer(UMCLogin.java:218)
at com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLogin.authenticate(UMCLogin.java:113)
at com.aris.modeling.client.container.serveraccess.AServerContext.getUserToken(AServerContext.java:842)
...