ARIS clients using SSL throw Java exceptions

Problem

The loadbalancer runnables are configured for the use of SSL and a SSL certificate is available. Nevertheless, ARIS Client or ARIS Download Client throws the following Java exceptions:

SEVERE: cannot login

com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLoginException: cannot connect to server myARIS.customer.com. Reason: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLogin.authenticateOnServer(UMCLogin.java:218)

at com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLogin.authenticate(UMCLogin.java:113)

at com.aris.modeling.client.container.serveraccess.AServerContext.getUserToken(AServerContext.java:842)

at com.aris.modeling.client.container.serveraccess.AServerContext.connectBLManager(AServerContext.java:773)

cannot be started using SSL certification.

Reason

Even with valid certificates (that contain the correct ARIS Server and domain name) purchased from a reliable CA, it may occur that the corresponding root certificate is not available in the JRE currently being used. As a consequence, the JRE is unable to validate the certificate and thus considers it as unknown in the same way it does with certificates that were created internally.

Solution

Add the certificate to the certificate store of the JRE in use. This depends on whether users use a locally installed ARIS Client or ARIS Download Client.

Installed ARIS Client

If an ARIS Clientis installed locally, the certificate must be placed into the JRE of the installed ARIS Client. The installed ARIS Client uses its own JRE (see <ARIS installation path>client\jre\). You must distribute the certificate to every single machine from which ARIS Client will be started.

ARIS Download Client

If ARIS Download Client is started using an ARIS downloader JAR file but not the Java applet, you can easily roll out an enhanced cacerts file. Just place it into the JRE installation path on the machine were the ARIS Server is installed.

  1. To roll out the certificate for ARIS Download Client, open your file browser and navigate to the JRE installation path, for example, c:\Program Files (x86)\java\jre\bin. This directory contains the keytool.exe file.
  2. To update the required certs file located in the <JRE installation path>\lib\security directory, open a Windows command prompt in this directory and run the command:

    keytool.exe -importcert -file <pathToCertFile> -alias <certificateAlias> -keystore <ARIS installation path>client\jre\lib\security\cacerts -storepass <keystorePassword>

    Replace all <placeholders> with the proper value. Aside from those mentioned above:

  3. Copy the cacerts file, that was changed (<JRE installation path>\lib\security), into the on this location:

    "<ARIS installation path>\server\bin\work\work_abs_<s|m|l>\base\webapps\abs\downloadClient\config

    If users start ARIS Download Client using an ARIS downloader JAR file, this cacerts file is downloaded and used.

Users must restart theirARIS_download_client>. Sometimes users are required to restart their browsers. This forces Java to re-read the cacerts keystore.

If an error message is thrown like the following, the certificate is signed for the wrong ARIS Server name. In this case, you must provide the correct certificate.

Jul 01, 2018 7:15:08 AM com.idsscheer.utils.logging.ALogger logException

SEVERE: cannot login

com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLoginException:

cannot connect to server myARIS.customer.com. Reason: Certificate

for <myARIS.customer.com> doesn't contain CN or DNS

subjectAlt

at com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLogin.authenticateOnServer(UMCLogin.java:218)

at com.aris.modeling.common.serverremoteapi.cscommon.umc.UMCLogin.authenticate(UMCLogin.java:113)

at com.aris.modeling.client.container.serveraccess.AServerContext.getUserToken(AServerContext.java:842)

...