PKIX path building failed - unable to find valid certification path to requested target

Published Jul 27 2021 07:33 AM 7,132 Views
Microsoft

The article presents the steps to import required certificates and enable Java application to connect to Azure SQL DB/Managed Instance. If required certificates are missing on client machine when connecting via AAD authentication, a similar error will be prompted in the application logs:

 

"SQLServerException: Failed to authenticate the user in Active Directory (Authentication=ActiveDirectoryPassword).
Caused by: ExecutionException: mssql_shaded.com.microsoft.aad.adal4j.AuthenticationException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: AuthenticationException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. "

 

This is an issue in Java Certificate Store. As a quick workaround, if you enable TrustServerCertificate=True in the connection string, the connection from JDBC succeeds. When TrustServerCertificate is set to true, the transport layer will use SSL to encrypt the channel and bypass walking the certificate chain to validate trust. If TrustServerCertificate is set to true and encryption is turned on, the encryption level specified on the server will be used even if Encrypt is set to false. The connection will fail otherwise. However, for security considerations, it is not recommended to bypass the certificate validation. Hence, to address the issue, follow the steps below to change the connection string and import the required certificates. 

 

  • Change the connection string to point to the Java certificate path

    String connectionUrl =  "jdbc:sqlserver://localhost:1433;" + 
        "databaseName=AdventureWorks;integratedSecurity=true;" + 
        "encrypt=true; trustServerCertificate=false;" + 
        "trustStore= C:\Program Files\Java\jdk-14.0.2\lib\cacert;trustStorePassword=changeit";

  • Import all the certificates mentioned in this document.

    Note: To import above certificates into the keystore cacerts, please use below command and please note you must mention truststore and truststore password in the connection string to successfully connect.  

Steps to import missing certificates in Java Certificate Store

 

Download all the certs from here, store them in a location on client host and then use keytool utility to import these certificates into the truststore. Please follow the below steps:

 

  • Save all the certificates from the above MS doc.
  • Keytool utility is in the bin folder of your default Java location (C:\Program Files\Java\jdk-14.0.2\bin). You need to use command prompt to navigate to that location.
  • Then you can use the keytool command to import the certificate previously saved. 
  • When prompted for password insert the key in the password as “changeit

 

Example of commands:

 

keytool -importcert -trustcacerts -alias TLS1 -file "C:\Users\Documents\Microsoft RSA TLS CA 01.crt" -keystore "C:\Program Files\Java\jdk-14.0.2\lib\security\cacerts"

keytool -importcert -trustcacerts -alias TLS2 -file "C:\Users\Documents\Microsoft RSA TLS CA 02.crt" -keystore "C:\Program Files\Java\jdk-14.0.2\lib\security\cacerts"

 

Certificate was added to keystore.

%3CLINGO-SUB%20id%3D%22lingo-sub-2591304%22%20slang%3D%22en-US%22%3EPKIX%20path%20building%20failed%20-%20unable%20to%20find%20valid%20certification%20path%20to%20requested%20target%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2591304%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20article%20presents%20the%20steps%20to%20import%20required%20certificates%20and%20enable%20Java%20application%20to%20connect%20to%20Azure%20SQL%20DB%2FManaged%20Instance.%26nbsp%3BIf%20required%20certificates%20are%20missing%20on%20client%20machine%20when%20connecting%20via%20AAD%20authentication%2C%20a%20similar%20error%20will%20be%20prompted%20in%20the%20application%20logs%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%230000FF%22%3E%22SQLServerException%3A%20Failed%20to%20authenticate%20the%20user%20in%20Active%20Directory%20(Authentication%3DActiveDirectoryPassword).%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%230000FF%22%3ECaused%20by%3A%20ExecutionException%3A%20mssql_shaded.com.microsoft.aad.adal4j.AuthenticationException%3A%20PKIX%20path%20building%20failed%3A%20sun.security.provider.certpath.SunCertPathBuilderException%3A%20unable%20to%20find%20valid%20certification%20path%20to%20requested%20target%3C%2FFONT%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%230000FF%22%3ECaused%20by%3A%20AuthenticationException%3A%20PKIX%20path%20building%20failed%3A%20sun.security.provider.certpath.SunCertPathBuilderException%3A%20unable%20to%20find%20valid%20certification%20path%20to%20requested%20target.%20%22%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20is%20an%20issue%20in%20Java%20Certificate%20Store.%20As%20a%20quick%20workaround%2C%20if%20you%20enable%20TrustServerCertificate%3DTrue%20in%20the%20connection%20string%2C%20the%20connection%20from%20JDBC%20succeeds.%26nbsp%3B%3CSPAN%3EWhen%26nbsp%3B%3C%2FSPAN%3E%3CCODE%3ETrustServerCertificate%3C%2FCODE%3E%3CSPAN%3E%26nbsp%3Bis%20set%20to%26nbsp%3B%3C%2FSPAN%3E%3CCODE%3Etrue%3C%2FCODE%3E%3CSPAN%3E%2C%20the%20transport%20layer%20will%20use%20SSL%20to%20encrypt%20the%20channel%20and%20bypass%20walking%20the%20certificate%20chain%20to%20validate%20trust.%20If%26nbsp%3B%3C%2FSPAN%3E%3CCODE%3ETrustServerCertificate%3C%2FCODE%3E%3CSPAN%3E%26nbsp%3Bis%20set%20to%26nbsp%3B%3C%2FSPAN%3E%3CCODE%3Etrue%3C%2FCODE%3E%3CSPAN%3E%26nbsp%3Band%20encryption%20is%20turned%20on%2C%20the%20encryption%20level%20specified%20on%20the%20server%20will%20be%20used%20even%20if%26nbsp%3B%3C%2FSPAN%3E%3CCODE%3EEncrypt%3C%2FCODE%3E%3CSPAN%3E%26nbsp%3Bis%20set%20to%26nbsp%3B%3C%2FSPAN%3E%3CCODE%3Efalse%3C%2FCODE%3E%3CSPAN%3E.%20The%20connection%20will%20fail%20otherwise.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3EHowever%2C%20for%20security%20considerations%2C%20it%20is%20not%20recommended%20to%20bypass%20the%20certificate%20validation.%20Hence%2C%20to%20address%20the%20issue%2C%20follow%20the%20steps%20below%20to%20change%20the%20connection%20string%20and%20import%20the%20required%20certificates.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EChange%26nbsp%3Bthe%20connection%20string%20to%20point%20to%20the%20Java%20certificate%20path%3CBR%20%2F%3E%3CBR%20%2F%3EString%20connectionUrl%20%3D%26nbsp%3B%20%22jdbc%3Asqlserver%3A%2F%2Flocalhost%3A1433%3B%22%20%2B%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%22databaseName%3DAdventureWorks%3BintegratedSecurity%3Dtrue%3B%22%20%2B%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%20%26nbsp%3B%20%22encrypt%3Dtrue%3B%20trustServerCertificate%3Dfalse%3B%22%20%2B%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%26nbsp%3B%26nbsp%3B%22trustStore%3D%20C%3A%5CProgram%20Files%5CJava%5Cjdk-14.0.2%5Clib%5Ccacert%3BtrustStorePassword%3Dchangeit%22%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EImport%20all%20the%20certificates%20mentioned%20in%20this%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fpki%2Fmscorp%2Fcps%2Fdefault.htm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edocument%3C%2FA%3E.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%20style%3D%22font-family%3A%20inherit%3B%22%3ENote%3C%2FSTRONG%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%3A%20To%20import%20above%20certificates%26nbsp%3Binto%20the%20keystore%20cacerts%2C%20please%20use%26nbsp%3Bbelow%20command%20and%20please%20note%20you%20must%20mention%20truststore%20and%20truststore%20password%20in%20the%20connection%20string%20to%20successfully%20connect.%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CDIV%3E%0A%3CDIV%3E%0A%3CH3%20id%3D%22toc-hId-2091914363%22%20id%3D%22toc-hId-2091914390%22%3ESteps%20to%20import%20missing%20certificates%20in%20Java%20Certificate%20Store%3C%2FH3%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EDownload%20all%20the%20certs%20from%20%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fpki%2Fmscorp%2Fcps%2Fdefault.htm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%2C%20store%20them%20in%20a%20location%20on%20client%20host%20and%20then%20use%20keytool%20utility%20to%20import%20these%20certificates%20into%20the%20truststore.%20Please%20follow%20the%20below%20steps%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3ESave%20all%20the%20certificates%20from%20the%20above%20MS%20doc.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EKeytool%20utility%20is%20in%20the%20bin%20folder%20of%20your%20default%20Java%20location%20(C%3A%5CProgram%20Files%5CJava%5Cjdk-14.0.2%5Cbin).%20You%20need%20to%20use%20command%20prompt%20to%20navigate%20to%20that%20location.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EThen%20you%20can%20use%20the%20keytool%20command%20to%20import%20the%20certificate%20previously%20saved.%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EWhen%20prompted%20for%20password%20insert%20the%20key%20in%20the%20password%20as%20%E2%80%9C%3CSTRONG%3Echangeit%3C%2FSTRONG%3E%E2%80%9D%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EExample%20of%20commands%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3Ekeytool%20-importcert%20-trustcacerts%20-alias%20TLS1%20-file%20%22C%3A%5CUsers%5CDocuments%5CMicrosoft%20RSA%20TLS%20CA%2001.crt%22%20-keystore%20%22C%3A%5CProgram%20Files%5CJava%5Cjdk-14.0.2%5Clib%5Csecurity%5Ccacerts%22%3C%2FEM%3E%3C%2FP%3E%0A%3C%2FDIV%3E%0A%3C%2FDIV%3E%0A%3CP%3E%3CEM%3Ekeytool%20-importcert%20-trustcacerts%20-alias%20TLS2%20-file%20%22C%3A%5CUsers%5CDocuments%5CMicrosoft%20RSA%20TLS%20CA%2002.crt%22%20-keystore%20%22C%3A%5CProgram%20Files%5CJava%5Cjdk-14.0.2%5Clib%5Csecurity%5Ccacerts%22%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ECertificate%20was%20added%20to%20keystore.%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2591304%22%20slang%3D%22en-US%22%3E%3CP%3EFailed%20to%20authenticate%20to%20Azure%20SQL%20using%20AAD%20-%20Caused%20by%3A%20AuthenticationException%3A%20PKIX%20path%20building%20failed%3A%20sun.security.provider.certpath.SunCertPathBuilderException%3A%20unable%20to%20find%20valid%20certification%20path%20to%20requested%20target%3C%2FP%3E%3C%2FLINGO-TEASER%3E
Co-Authors
Version history
Last update:
‎Aug 04 2021 12:13 AM
Updated by: