If you're seeing errors in the weave.log file like:
PKIX exception output
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
it's likely cause by Weave trying to communicate with an external service that uses a certificate that Weave doesn't know about, for example if the service uses a self-signed certificate.
This could happen if you're connecting to an ArcGIS server that you're hosting within your own organisation where it's been installed and setup using its own certificate (which is the default when ArcGIS Server is installed).
To resolve this problem the Weave certificate store needs to be updated to include information about the certificate that the server is presenting. This can be done manually using the openssl
tool but it can also be done using a graphical tool Portecle, which is described below, alternatively Weave can be configured to ignore the certificates and just accept them as valid.
To have Weave ignore the certificates you have to set a system property called weave.ignoretls
, this property should be set to a comma separated list of host name that should have their certificates automatically accepted, to accept a group of hosts you can use an * in the name.
Setting the property to ignore a group of internal servers and one external server
-Dweave.ignoretls=*.internal.mycompany.com,maps.theircompany.com
SQL Server
If you are seeing PKIX errors relating to connecting to SQL Server databases add trustServerCertificate=true
to the connection URL for the data sources pointing to SQL Server, e.g.
<url>jdbc:sqlserver://prodsql02:1433;DatabaseName=prod;trustServerCertificate=true</url>
Step-by-step guide
Download and install the Portecle application onto the server that runs Weave. For this example we'll download the
portecle.zip
file and assume it's been unzipped into thec:\temp
directory (the current version of Portecle at the time of writing is 1.11, which is included in the paths within the.zip
file).Start the Portecle application in the same way you'd start a Weave updater. You may be able to double click on the
portecle.jar
file but if that doesn't work you'll need open a command prompt and start it manually, e.g. assuming Weave is installed atc:\weave\
and Portecle has been extracted toc:\temp\portecle-1.11\
you can opencmd.exe
and runjava.exe
with the-jar
option and the path to theportecle.jar
fileC:\Users\sforbes> c:\weave\jre\bin\java.exe -jar c:\temp\portecle-1.11\portecle.jar
Select the Examine menu and then click Examine SSL/TLS Connection:
Enter the SSL Host and Port of the target system. In this example we're looking at google.com but it'll likely be the name of your ArcGIS Server host, the
weave.log
file should provide the information just before the PKIX exception (note that if the information in the log does not report a port number then it's is probably 443):Wait for it to load, then select the public certificate and click on PEM (you will likely only have a single certificate to choose from, but this screen shot shows two available):
Export the certificate and save it to a file.
Go back to the main screen and select the Open an existing keystore from disk option, and select the
cacerts
file from the Weave Java runtime (the default password ischangeit
), for exampleC:\weave\jre\lib\security\cacerts
:Select the Import a trusted certificate into the loaded keystore button:
Select the certificate that was saved in Step 6 and confirm that you trust it, giving it an appropriate alias and verifying that it should be added:
Save the Key Store to disk:
Restart Weave and verify that the external service can now be connected to.
If your Weave server is running on a server where you cannot run a graphical application then you can copy the cacerts
file to another PC, follow these instructions, then copy the file back to the Weave server.
Related articles
Unable to Connect to SSL Services due to PKIX Path Building Failed