Problem
When monitoring a storage system with the Storage Analyzer KM or Storage All-in-One ETL, you might encounter the following error message:
ERROR: 2025/05/12 10:01:56 BRT ; Thread 30 ; SKM@192.168.10.36 ; com.sentrysoftware.silicium.core.engine.Engine ; $Revision $ ; performJob
| ExecutionException detected during job operation DISCOVERY. Environment: 192.168.10.36
| EXCEPTION SunCertPathBuilderException : unable to find valid certification path to requested target
| sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
| sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:127)
| java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
| sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
| sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
| sun.security.validator.Validator.validate(Validator.java:271)
| sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
| sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223)
| sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
| sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
| sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
| sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
| sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
| sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
| sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
| sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
| sun.security.ssl.SSLTransport.decode(SSLTransport.java:152)
| sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1401)
| sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309)
| sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
| sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
| sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:197)
| sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167)
| com.sentrysoftware.silicium.protocolclients.http.impl.HTTPRequester.connectHttps(HTTPRequester.java:204)
| com.sentrysoftware.silicium.protocolclients.http.impl.HTTPRequester.processHttps(HTTPRequester.java:172)
| com.sentrysoftware.silicium.protocolclients.http.impl.HTTPRequester.runHTTP(HTTPRequester.java:158)
| com.sentrysoftware.silicium.protocolclients.http.impl.HTTPClientImpl.request(HTTPClientImpl.java:102)
| com.sentrysoftware.silicium.protocolclients.http.impl.HTTPClientImpl.request(HTTPClientImpl.java:27)
| com.sentrysoftware.silicium.protocolclients.client.concurrent.RequestTask.run(RequestTask.java:93)
| java.lang.Thread.run(Thread.java:750)
This is a common Java SSL/TLS issue, occurring when the JVM cannot validate the SSL certificate of the remote server or storage system because the Certificate Authority (CA) in the certificate chain is not recognized.
Solution
To solve this issue, retrieve the storage system’s certificate and import it into the JVM Truststore as outlined below.
Step 1: Retrieve the SSL certificate
Use a Web browser or the openssl command-line tool to fetch the SSL certificate from the target server or storage system. You can for example run the following command to display the certificate chain:
openssl s_client -connect <host>:<port> -showcerts
where:
<host>is the hostname of the server or storage system<port>is the port of the server or storage system
Example:
openssl s_client -connect emc-unity:443 -showcerts
Expected Output:
CONNECTED(00000004)
Can't use SSL_get_servername
depth=0 CN = *.lab.sentrysoftware.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.lab.sentrysoftware.net
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = *.lab.sentrysoftware.net
verify error:num=10:certificate has expired
notAfter=Jun 18 23:59:59 2022 GMT
verify return:1
depth=0 CN = *.lab.sentrysoftware.net
notAfter=Jun 18 23:59:59 2022 GMT
verify return:1
---
Certificate chain
0 s:CN = *.sentrysoftware.net
i:C = FR, ST = Paris, L = Paris, O = Gandi, CN = Gandi Standard SSL CA 2
Sample certificate:
-----BEGIN CERTIFICATE-----
MIIGZTCCBU2gAwIBAgIRALPYtNeeHxx7gnXaC8URPxcwDQYJKoZIhvcNAQELBQAw
XzELMAkGA1UEBhMCRlIxDjAMBgNVBAgTBVBhcmlzMQ4wDAYDVQQHEwVQYXJpczEO
MAwGA1UEChMFR2FuZGkxIDAeBgNVBAMTF0dhbmRpIFN0YW5kYXJkIFNTTCBDQSAy
MB4XDTIxMDUyMTAwMDAwMFoTIyMD45YxODIzNTk1OVowKDEmMCQGA1UEAwwdKi5p
bnRlcm5hbC5zZW50cnlzb2Z0d2FyZS5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDeheuQVw9fidctJPeSqTB+y5FI6ocG518w2owDWfjVLIlMh41c
DP4fU0Wp1k+KiHF/LexSlOpozrgAdwDfpV6raIJPH2yt7rhfTj5a6s2iEqRqXo47
EsAgRFwqcwAAAXmNF5C+AAAEAwBIMEYCIQDW3GfzmJHDfbvd0uaGUOB54U0c3QN1
...
KXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF5jReQvgAABAMARzBF
AiEAnizT0MW/r0iCMG/iWXpGRHdQwXMZPAoE76bKXZvtymkCIF7gSbe0+kWp4NOw
jMq5qNe0pe8mdjqzahuwD3eU56EjMA0GCSqGSIb3DQEBCwUAA4IBAQALgqZjDDmV
+gSPA90pWYy6HJUNK4Uh3QbMsQk6UWei4ifINfvxJioVbk/4/FScyUBw4CzeurVU
BZtg1qFracZnY7rEZQoP2fifgDK+BJsavVSFxfdz6xABYs8BfcLMuABM0KcKVAow
4lNcQblRY4ah59zuxSZ8E5le4YdKoCmwTgVIlvvNLOKcb38dadvDbwWKWoLvNYd4
TW+laCIrEMBZJa6W1mo68R+besVC5cxKwIjFH2HGmF4nxNaEzWyP9dZT1Hvgf/SK
UNMnLmw20x9GULfkpA2LBj3WxPntRiXl3Iab9dGWYpJnxIY0AUr39qQbHRHh2l9u
GNQQh/HojviD
-----END CERTIFICATE-----
Save the certificate in PEM format (e.g.: C:\temp\emc-unity.pem).
Step 2: Import the certificate into the Java Truststore
Use the keytool utility to import the certificate into the Java truststore:
keytool -importcert -alias customCert -keystore $JAVA_HOME/lib/security/cacerts -file yourcert.pem
Notes:
- For BHCO/TSCO, the Java truststore should be located in $BCO_HOME/<jdk_version>/lib/security/cacerts (e.g: /opt/bmc/BCO/jdk-11.0.18+10/lib/security/cacerts)
- The default password is changeit
Example:
keytool -import -trustcacerts -alias emc-unity -file C:\temp\emc-unity.pem -keystore "C:\BMCSoftware\Patrol3\SEN_jre\lib\security\cacerts" -storepass changeit
Expected Output:
Owner: CN=*.lab.sentrysoftware.net
Issuer: CN=Gandi Standard SSL CA 2, O=Gandi, L=Paris, ST=Paris, C=FR
Serial number: b3c8b4d53e1f2c2b6275da0dc5213f12
Valid from: Fri May 21 02:00:00 CEST 2021 until: Sun Jun 19 01:59:59 CEST 2022
Certificate fingerprints:
SHA1: 2E:73:D6:E3:81:5F:3F:02:FF:62:FC:75:F9:02:8D:D4:0B:95:FB:64
SHA256: 49:63:86:46:8F:55:51:0D:6B:C9:96:48:85:D5:8E:10:D6:AD:1D:05:B1:75:E4:04:94:D7:32:7F:2D:18:82:A9
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
0000: 04 82 03 6D 03 6A 01 73 00 45 A6 55 EB 75 FA 91 ...l.j.w.F.U.u..
When prompted, respond yes to add it to the keystore:
Trust this certificate? [no]: yes
Certificate was added to keystore
Step 3: Restart the Java-Based Service
Restart the PATROL Agent or Scheduler (or the relevant Java-based application) to apply changes.
Related Topics
- CIM_ERR_FAILED Errors Occur When Running EMC WBEM-Based ETLs with Java v11.0.15 or Newer
- KMs Report "Collection Hub is not started. Cannot send the query"
- WBEM-Based KMs/ETLs Stop Working After Upgrading JRE to v17+
- No data collected for HPE XP7/XP8 storage systems in TrueSight Capacity Optimization or TrueSight Operations Management
- Monitoring Studio X Unexpectedly Hangs or Consumes High CPU When Running a JRE Higher Than 8