SunCertPathBuilderException: unable to find valid certification path to requested target when trying to use the old remoting-connector in JBoss EAP 7.1

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP) 7.1
EJB Client server to server configuration
remoting-connector

Issue

We enabled the old remoting-connector in JBoss EAP 7.1 and are using the jboss-ejb-client.xml server to server EJB configuration, but our client server is getting this exception when it tries to invoke the remote EJB, even though the client's remote-outbound-connection has SSL_ENABLED set to false.

The client server has:

            <outbound-connections>
                <remote-outbound-connection name="remote-ejb-connection" outbound-socket-binding-ref="remote-socket-ejb" security-realm="ejb-security-realm" username="ejbuser" protocol="remote">
                    <properties>
                        <property name="SASL_POLICY_NOANONYMOUS" value="false"/>
                        <property name="SSL_ENABLED" value="false"/>
                    </properties>
                </remote-outbound-connection>
            </outbound-connections>

The server side has:

        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
            <endpoint/>
            <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm">
            </connector>
            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
        </subsystem>

Caused by: javax.faces.el.EvaluationException: javax.ejb.NoSuchEJBException: EJBCLIENT000079: Unable to discover destination for request for EJB StatelessEJBLocator for "/ejb-client/Hello", view is interface com.jboss.examples.ejb.Hello, affinity is None
	at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:101)
	at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:102)
	at javax.faces.component.UICommand.broadcast(UICommand.java:315)
	at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:790)
	at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:1282)
	at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:81)
	at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101)
	at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:198)
	at javax.faces.webapp.FacesServlet.service(FacesServlet.java:658)
	... 39 more
Caused by: javax.ejb.NoSuchEJBException: EJBCLIENT000079: Unable to discover destination for request for EJB StatelessEJBLocator for "/ejb-client/Hello", view is interface com.jboss.examples.ejb.Hello, affinity is None
	at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:592)
	at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:528)
	at org.jboss.ejb.protocol.remote.RemotingEJBClientInterceptor.handleInvocationResult(RemotingEJBClientInterceptor.java:56)
	at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:594)
...
	Suppressed: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
		at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
		at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
		at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
		at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
		at org.xnio.ssl.JsseSslConduitEngine.engineWrap(JsseSslConduitEngine.java:336)
...
	Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
		at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
		at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
		at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
		at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
		at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
		at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
		at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
		at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
		at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
		at java.security.AccessController.doPrivileged(Native Method)
		at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
		at org.xnio.ssl.JsseSslConduitEngine.handleHandshake(JsseSslConduitEngine.java:543)
...
	Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
		at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
		at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
		at sun.security.validator.Validator.validate(Validator.java:262)
		at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
		at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
		at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
		at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
		... 17 more
	Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
		at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
		at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
		at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
		at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
		... 23 more
	Suppressed: javax.ejb.NoSuchEJBException: WFLYEJB0056: Could not find EJB in matching deployment: StatelessEJBLocator for "/ejb-client/Hello", view is interface com.jboss.examples.ejb.Hello, affinity is None
		at org.jboss.as.ejb3.remote.LocalEjbReceiver.findBean(LocalEjbReceiver.java:401)
		at org.jboss.as.ejb3.remote.LocalEjbReceiver.processInvocation(LocalEjbReceiver.java:96)
		at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:479)
...
	Suppressed: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
		at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
		at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
		at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
		at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
		at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
		at org.xnio.ssl.JsseSslConduitEngine.engineUnwrap(JsseSslConduitEngine.java:688)
		at org.xnio.ssl.JsseSslConduitEngine.unwrap(JsseSslConduitEngine.java:620)
...
	Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
		at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
...
	Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
		at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
		at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
...
	Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
		at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
		at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
		at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
		at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
		... 25 more

Resolution

Option 1 - make both client and server side as SSL_ENABLED=false

On the server side configuration, add the SSL_ENABLED property and set it to false :

        <subsystem xmlns="urn:jboss:domain:remoting:4.0">
            <endpoint/>
            <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm">
                <properties>
                    <property name="SSL_ENABLED" value="false"/>
                </properties>
            </connector>
            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
        </subsystem>

Option 2 - create a new realm for the old remoting-connector to use

Create a new security-realm for the old remoting-connector to use that does not have the ssl server-identity such as shown below. When using add-user.sh, the -r [New Realm] is needed as the realm name is used when hashing the password.

./bin/add-user.sh -r RemotingRealm -up ./standalone/configuration/remoting-users.properties -gp ./standalone/configuration/remoting-roles.properties -u ejbuser -p redhat1!

/core-service=management/security-realm=RemotingRealm:add()
/core-service=management/security-realm=RemotingRealm/authentication=local:add(allowed-users=*, skip-group-loading=true, default-user="$local")
/core-service=management/security-realm=RemotingRealm/authentication=properties:add(path=remoting-users.properties, relative-to=jboss.server.config.dir)
/core-service=management/security-realm=RemotingRealm/authorization=properties:add(path=remoting-roles.properties, relative-to=jboss.server.config.dir)

            <security-realm name="RemotingRealm">
                <authentication>
                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>
                    <properties path="remoting-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
                <authorization>
                    <properties path="remoting-roles.properties" relative-to="jboss.server.config.dir"/>
                </authorization>
            </security-realm>

Option 3 - remove the ssl server-identity from the ApplicationRealm

Removing the ssl server-identity from the ApplicationRealm would require disabling the Undertow/Web https connector as well as it is using the ssl server-identity from the ApplicationRealm else see option 2 to create a new realm so that Undertow can continue to use the realm with the ssl identity.

        <subsystem xmlns="urn:jboss:domain:undertow:4.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<!-- Remove the https listener that is using ApplicationRealm if you remove the ssl from the Application Realm
                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>
-->

Root Cause

The server side remoting-connector was configured to use the ApplicationRealm and in JBoss EAP 7.1 it generates a self-signed certificate for the ApplicationRealm , so it is using SSL by default. Since the client side is setting SSL_ENABLED=false, the server side will need to as well.

            <security-realm name="ApplicationRealm">
                <server-identities>
                    <ssl>
                        <keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/>
                    </ssl>
                </server-identities>
            ...

SBR

JBoss Base AS

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.