Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 17 Next »

If you're seeing errors in the weave.log file like:

PKIX exception output
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

it's likely cause by Weave trying to communicate with an external service that uses a certificate that Weave doesn't know about, for example if the service uses a self-signed certificate.

This could happen if you're connecting to an ArcGIS server that you're hosting within your own organisation where it's been installed and setup using its own certificate (which is the default when ArcGIS Server is installed).

To resolve this problem the Weave certificate store needs to be updated to include information about the certificate that the server is presenting. This can be done manually using the openssl tool but it can also be done using a graphical tool Portecle, which is described below, alternatively Weave can be configured to ignore the certificates and just accept them as valid.

To have Weave ignore the certificates you have to set a system property called weave.ignoretls, this property should be set to a comma separated list of host name that should have their certificates automatically accepted, to accept a group of hosts you can use an * in the name.

Setting the property to ignore a group of internal servers and one external server
-Dweave.ignoretls=*.internal.mycompany.com,maps.theircompany.com

SQL Server

If you are seeing PKIX errors relating to connecting to SQL Server databases add trustServerCertificate=true to the connection URL for the data sources pointing to SQL Server, e.g. 

<url>jdbc:sqlserver://prodsql02:1433;DatabaseName=prod;trustServerCertificate=true</url>

Step-by-step guide

  1. Download and install the Portecle application onto the server that runs Weave. For this example we'll download the portecle.zip file and assume it's been unzipped into the c:\temp directory (the current version of Portecle at the time of writing is 1.11, which is included in the paths within the .zip file).

  2. Start the Portecle application in the same way you'd start a Weave updater. You may be able to double click on the portecle.jar file but if that doesn't work you'll need open a command prompt and start it manually, e.g. assuming Weave is installed at c:\weave\ and Portecle has been extracted to c:\temp\portecle-1.11\ you can open cmd.exe and run java.exe with the -jar option and the path to the portecle.jar file

    C:\Users\sforbes> c:\weave\jre\bin\java.exe -jar c:\temp\portecle-1.11\portecle.jar



  3. Select the Examine menu and then click Examine SSL/TLS Connection:




  4. Enter the SSL Host and Port of the target system. In this example we're looking at google.com but it'll likely be the name of your ArcGIS Server host, the weave.log file should provide the information just before the PKIX exception (note that if the information in the log does not report a port number then it's is probably 443):




  5. Wait for it to load, then select the public certificate and click on PEM (you will likely only have a single certificate to choose from, but this screen shot shows two available):




  6. Export the certificate and save it to a file.

  7. Go back to the main screen and select the Open an existing keystore from disk option, and select the cacerts file from the Weave Java runtime (the default password is changeit), for example C:\weave\jre\lib\security\cacerts:




  8. Select the Import a trusted certificate into the loaded keystore button:


  9. Select the certificate that was saved in Step 6 and confirm that you trust it, giving it an appropriate alias and verifying that it should be added:


  10. Save the Key Store to disk:


  11. Restart Weave and verify that the external service can now be connected to.


If your Weave server is running on a server where you cannot run a graphical application then you can copy the cacerts file to another PC, follow these instructions, then copy the file back to the Weave server. 

Connecting to SSL services

Unable to Connect to SSL Services due to PKIX Path Building Failed



  • No labels