RH-SSO SSL error with connections with external identity provider

Solution Unverified - Updated -

Issue

  • Server.log exception connecting external identity provider

    ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-27) Failed to make identity provider oauth callback: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
            at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
            at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
            at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
            at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
            at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
            at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
            at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
            at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
            at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
            at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
            at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
            at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
            at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
            at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
            at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
            at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
            at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
            at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
            at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
            at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
            at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
            at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
            at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
            at org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:185)
            at org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:154)
            at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:146)
            at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:397)
    

Environment

  • Red Hat Single Sign-On (RH-SSO) 7
  • External/Brokering Identity Provider using SSL

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In