Tuesday, July 27, 2021

PKIX path building failed - unable to find valid certification path to requested target

This article presents the steps to import required certificates and enable Java application (hosted on-prem or in Azure) to connect to Azure SQL DB. If required certificates are missing on client machine when connecting via AAD authentication, a similar error will be prompted in the application logs:

 

"SQLServerException: Failed to authenticate the user in Active Directory (Authentication=ActiveDirectoryPassword).
Caused by: ExecutionException: mssql_shaded.com.microsoft.aad.adal4j.AuthenticationException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: AuthenticationException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. "

 

This is an issue in Java Certificate Store. As a quick workaround, if you would enable TrustServerCertificate=True in the connection string, the connection from JDBC would succeed. However, this is not a recommended approach. To address the issue, change the connection string and import certifiates as shown below.

 

  • Change the connection string to point to the Java certificate path

    String connectionUrl =  "jdbc:sqlserver://localhost:1433;" + 
        "databaseName=AdventureWorks;integratedSecurity=true;" + 
        "encrypt=true; trustServerCertificate=false;" + 
        "trustStore= C:\Program Files\Java\jdk-14.0.2\lib\cacert;trustStorePassword=changeit";

  • Import all the certificates mentioned in this document.

    Note: To import above certificates into the keystore cacerts, please use below command and please note you must mention truststore and truststore password in the connection string to successfully connect.  

Steps to import missing certificates in Java Certificate Store

 

Download all the certs from here, store them in a location on client host and then use keytool utility to import these certificates into the truststore. Please follow the below steps:

 

  • Save all the certificates from the above MS doc.
  • Keytool utility is in the bin folder of your default Java location (C:\Program Files\Java\jdk-14.0.2\bin). You need to use command prompt to navigate to that location.
  • Then you can use the keytool command to import the certificate previously saved. 
  • When prompted for password insert the key in the password as “changeit

 

Example of commands:

 

keytool -importcert -trustcacerts -alias TLS1 -file "C:\Users\Documents\Microsoft RSA TLS CA 01.crt" -keystore "C:\Program Files\Java\jdk-14.0.2\lib\security\cacerts"

keytool -importcert -trustcacerts -alias TLS2 -file "C:\Users\Documents\Microsoft RSA TLS CA 02.crt" -keystore "C:\Program Files\Java\jdk-14.0.2\lib\security\cacerts"

 

Certificate was added to keystore.

Posted at https://sl.advdat.com/2WsdV92