SSLHandshake Exceptions When Connecting to ThingWorx Platform
Handshake Exception: Unable to find valid certification path to requested target
You are testing the Connector using a self signed certificate. The Connector fails to connect to the ThingWorx Platform, and the Connector log shows the following messages:
2020-08-15T15:30:20.740 [NettyClient-NIO-7] WARN c.t.s.i.t.netty.NettyChannelHandler - [ClientHandler: d86fd220] SSLHandshake Exception, websocket not created:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:327)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:270)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:265)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:646)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:465)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:361)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:451)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:987)
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:974)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:921)
at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1510)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1524)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1408)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1235)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1282)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:275)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:140)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:624)
SOLUTION
The certificate that you are using has not been added to the trust store. If you are using a self-signed certificate (for development purposes only, NEVER in production), you need to import the self-signed certificate into the $JAVA_HOME/jre/lib/security/cacerts trust store.
Handshake Exception: No name matching <host_address>
You are testing the Connector configuration with the ThingWorx Platform, using a self-signed certificate and you have added it to the trust store. The Connector fails to connect to the ThingWorx Platform, and the Connector log shows a message similar to the following:
javax.net.ssl.SSLHandshakeException: No name matching pp-2008060535yw.portal.ptc.io found
SOLUTION
This message means that the name you are connecting to the platform with, pp-2008060535yw.portal.ptc.io, does not match the certificate's Subject CN or Subject Alternative Name DNS entries. The best and most secure solution is to make the platform's host name mach the certificate details.
If you cannot do that, you can disable host name verification. However, this solution is considered insecure and against security best practices. To disable host name verification, set cx-server.transport.websockets.connections.verifyHostName = false in the configuration file for your Connector.
Handshake Exception: Websocket Not Connected and General SSL Engine Problem
You are testing the configuration with self-signed certificates, or terminating TLS before the ThingWorx Platform. You need to ensure the eMessage Connector can accept those certificates. The Connector fails to connect to the ThingWorx Platform, and the Connector logs show messages similar to the following:
18:35:47.539 [NettyClient-NIO-4] WARN c.t.s.i.t.netty.NettyChannelHandler -
[ClientHandler: 374e82b8] SSLHandshake Exception, websocket not created:
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
...
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
...
SOLUTION
Make sure you are using valid certificates. If you want to use self-signed certificates on the ThingWorx Platform for testing, make sure they are added to the Java trust store ($JAVA_HOME/jre/lib/security/cacerts on the eMessage Connector.
If TLS is terminated before the Connector-to-ThingWorx network (not recommended configuration), make sure to connect from the Connector to ThingWorx Platform over a non-TLS connection. To set up the non-TLS connection between the Connector and the Platform:
◦ If you are using the eMessage Connector in an ThingWorx High Availability (HA), you should have configured the Connector to use discovery to locate the ThingWorx Platform instances by setting transport.websockets.service-discovery.enabled to true. To use a non-TLS connection between the Connector and the platform, make sure that you have also set the following:
transport.websockets.service-discovery.tls-enabled = false
transport.websockets.service-discovery.service-name = "thingworx-http"
◦ If you are using the ThingWorx Platform in single-server mode, make sure that you configure the Connector as follows for a non-TLS connection:
a. The URI of the ThingWorx Platform to which the Connector will connect must use ws instead of wss. The property is in the group, cx-server.transport.websockets, with the application key property. For example:
cx-server {
transport.webxockets {
app-key = "<your_app_key>"
platforms = "ws://twxplatform:8080/ThingWorx/WS"