topic Re: Java Cert error due to decryption? in General Topics

Java Cert error due to decryption?

Gareth.Doyle — Wed, 16 Jun 2021 13:21:39 GMT

My organization is in the process of moving from one VPN solution to GlobalProtect. We are seeing several applications being unable to run certain features, or run successfully at all, and the error logs appear similar to this (I say similar because this specific message is from one application, others may vary, but all are similar):

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

A second one:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Our workstation team has tried implementing our organization's root and intermediary certificates into a specific Java cert store according to some information they found online, but the error persists. The only change was moving to GlobalProtect. I have found that bypassing our decryption policies on the Palo Alto fixes this issue, but bypassing decryption for things that often reach out to cloud resources (thereby bypassing decryption to huge chunks of the internet) is not fully acceptable.

Has anyone experienced anything like this and/or have any suggestions?

Thanks!

Re: Java Cert error due to decryption?

OtakarKlier — Wed, 16 Jun 2021 18:49:02 GMT

Hello,

While I would love to tell you to decrypt everything, somethings just break when you due. I would suggest not decrypting that traffic.

Regards,

Re: Java Cert error due to decryption?

Gareth.Doyle — Wed, 16 Jun 2021 19:09:03 GMT

Yeah, but then I have to bypass decryption on AWS, Azure, and GCP IP blocks... That seems entirely unreasonable.

Re: Java Cert error due to decryption?

OtakarKlier — Wed, 16 Jun 2021 19:15:27 GMT

Hello,

Yes I agree. However you can use one or more of the other options to get a bit more granular/generic.

Regards,

Re: Java Cert error due to decryption?

BPry — Fri, 18 Jun 2021 03:39:13 GMT

@Gareth.Doyle,

That's where the URL category would be recommended when creating your exception. So instead of excluding AWS/Azure/GCP, you would focus more on what resources are actually causing the issue and where the Java application is trying to fetch them from. Then just build out an exception for those URLs.

Re: Java Cert error due to decryption?

Remo — Sat, 19 Jun 2021 19:55:41 GMT

Hi @Gareth.Doyle

How does you trust path to the root ca look?

Is it root > intermediate > decryption ca? Did you also try to import the decryption ca into the java trust store? And this question might be obvious, but did you make sure to import the CA certs as trusted issuer/CA certs?