Fix PKIX and SSL configuration issues in AEM Forms

AEM Forms fails to communicate over SSL due to missing certificates, incorrect keystore configuration, or misconfigured SSL ports. Fix the issue by validating certificate chains, updating the JVM truststore, and correcting SSL configuration in JBoss or WebSphere.

Description description

Environment

  • AEM Forms (JEE and OSGi)
  • JBoss
  • WebSphere
  • Adobe Managed Services (AMS)
  • on‑prem environments

Issue/Symptoms

  • javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • java.sql.SQLRecoverableException: IO Error PKIX path building failed.
  • JBoss EJB invocation failing with SSL disabled or incomplete configuration: remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
  • AEM startup failures where SSL configuration wizard requests keystore name/password and cannot proceed.

Resolution resolution

To resolve this issue, follow these steps:

  1. Review logs such as standalone/log/server.logor SystemOut.log to identify SSL error signatures like PKIX failures, SSLHandshakeException, or missing keystore password.

  2. Confirm the error references certificate trust or keystore loading issues.

  3. Extract the server certificate and its full chain, including server, intermediate, and root CA certificates, and ensure the certificate matches the hostname observed in logs.

  4. Import missing certificates into the JVM truststore at JAVA_HOME/lib/security/cacerts using keytool and verify installation by listing the alias. Ensure the correct keystore path and password are used.

    keytool -importcert -alias <alias> -file <certfile.pem> -keystore <JAVA_HOME>/lib/security/cacerts

  5. Restart JBoss or WebSphere to reload the truststore and verify that SSL errors no longer appear during startup.

  6. Re-run the failing operation such as database connection or HTTPS call.

  7. If the SSL configuration wizard requests keystore inputs and the password is unknown, create a new keystore by providing a new file name, keystore password, and key password.

  8. Verify the keystore file exists in the configuration directory.

  9. Validate the JBoss HTTPS listener configuration in standalone.xml or domain.xml.

  10. Ensure the SSLRealm and HTTPS listener exist and load correctly without errors.

  11. For database-related SSL errors, especially with SQL Server using encrypt=true;trustServerCertificate=false, import the database certificate into the truststore or set trustServerCertificate=true temporarily.

  12. Verify the datasource test succeeds.

  13. Check EJB SSL configuration if errors relate to port 8443.

  14. Ensure SSL is enabled and configured correctly for EJB traffic, and verify that invocation errors no longer occur.

  15. Re-test the original failing operation and confirm logs do not contain SSLHandshakeException or related errors.

If issues persist, perform deeper validation by comparing certificates using openssl and verifying truststore entries.

recommendation-more-help
experience-cloud-kcs-help-kbarticles