Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

AM (All versions) fails to connect to DS using a secured connection with an ERROR: Connection factory became offline

Last updated Jan 16, 2023

The purpose of this article is to provide assistance if AM fails to connect to DS using a secured connection (SSL/TLS enabled). You will see errors such as "ERROR: Connection factory became offline", "Connect Error: General SSLEngine problem" and "unable to find valid certification path to requested target" when this happens.


1 reader recommends this article

Symptoms

An error similar to the following is shown in the IdRepo log when AM fails to connect to DS:

LDAPUtils:03/16/2018 11:32:19:797 AM EST: Thread[localhost-startStop-1,5,main] ERROR: Connection factory became offline: AuthenticatedConnectionFactory(HeartBeatConnectionFactory(LDAPConnectionFactory(test.example.com:443)), SimpleBindRequest(name=cn=Directory Manager, authentication=simple, controls=[])) org.forgerock.opendj.ldap.ConnectionException: Connect Error: General SSLEngine problem at org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:210) at org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:172) at org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:142) at com.forgerock.opendj.ldap.LDAPConnectionFactoryImpl$CompletionHandlerAdapter.adaptConnectionException(LDAPConnectionFactoryImpl.java:187) at com.forgerock.opendj.ldap.LDAPConnectionFactoryImpl$CompletionHandlerAdapter.onFailure(LDAPConnectionFactoryImpl.java:194) at com.forgerock.opendj.ldap.LDAPConnectionFactoryImpl$CompletionHandlerAdapter.access$200(LDAPConnectionFactoryImpl.java:76) at com.forgerock.opendj.ldap.LDAPConnectionFactoryImpl$CompletionHandlerAdapter$2.failed(LDAPConnectionFactoryImpl.java:147) ... Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1300) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513) at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177) at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149) at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) at org.glassfish.grizzly.ssl.SSLConnectionContext.wrap(SSLConnectionContext.java:339) at org.glassfish.grizzly.ssl.SSLUtils.handshakeWrap(SSLUtils.java:303) at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:621) ... 17 more Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1439) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:878) at sun.security.ssl.Handshaker$1.run(Handshaker.java:818) at sun.security.ssl.Handshaker$1.run(Handshaker.java:816) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1237) at org.glassfish.grizzly.ssl.SSLUtils.executeDelegatedTask(SSLUtils.java:252) at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:632) ... 17 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1426) ... 25 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ... 31 more

You may see a similar error in the OpenDJ-SDK log when configuring AM servers:

org.forgerock.opendj.ldap.LoadBalancer:06/08/2018 11:07:59:746 AM BST: Thread[OpenDJ LDAP SDK Client Selector(1) SelectorRunner,5,main]: TransactionId[de8dd168-1af6-4213-a6dc-56740aee391f-108] WARNING: Connection factory 'org.forgerock.opendj.ldap.LdapClientImpl@563521a3' is no longer operational: Connect Error: General SSLEngine problem

A corresponding java.net.ConnectException may also be seen in the Configuration log when this happens; this reveals the connection was refused when the client attempted to establish a network session over HTTP, not HTTPS when configuring the servers:

WARNING: AMSetupUtils.getRemoteServerInfo() java.net.ConnectException: Connection refused (Connection refused) at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at sun.net.NetworkClient.doConnect(NetworkClient.java:178) at sun.net.www.http.HttpClient.openServer(HttpClient.java:463) at sun.net.www.http.HttpClient.openServer(HttpClient.java:558) at sun.net.www.http.HttpClient.(HttpClient.java:242) at sun.net.www.http.HttpClient.New(HttpClient.java:339) at sun.net.www.http.HttpClient.New(HttpClient.java:357) at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1220) ...

Recent Changes

Configured DS to use LDAP secure access (LDAPS).

Changed the DS server certificate.

Causes

AM cannot connect to the secured DS because the JVM does not trust the DS server certificate.

Solution

You must import the DS server certificate into your AM truststore to allow the JVM to trust the DS server certificate.

See How do I import a certificate into the truststore used by AM (All versions) for SSL?, Prepare the truststore (AM 7 and later) and How do I make AM 6.x communicate with a secured LDAP server? for further information.

See Also

How do I troubleshoot connection via LDAPS issues in DS (All versions)?

FAQ: SSL/TLS secured connections in AM and Agents

SSL in AM and Agents

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.