AM (All versions) fails to connect to DS using a secured connection with an ERROR: Connection factory became offline
The purpose of this article is to provide assistance if AM fails to connect to DS using a secured connection (SSL/TLS enabled). You will see errors such as "ERROR: Connection factory became offline", "Connect Error: General SSLEngine problem" and "unable to find valid certification path to requested target" when this happens.
1 reader recommends this article
Symptoms
An error similar to the following is shown in the IdRepo log when AM fails to connect to DS:
LDAPUtils:03/16/2018 11:32:19:797 AM EST: Thread[localhost-startStop-1,5,main] ERROR: Connection factory became offline: AuthenticatedConnectionFactory(HeartBeatConnectionFactory(LDAPConnectionFactory(test.example.com:443)), SimpleBindRequest(name=cn=Directory Manager, authentication=simple, controls=[])) org.forgerock.opendj.ldap.ConnectionException: Connect Error: General SSLEngine problem at org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:210) at org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:172) at org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:142) at com.forgerock.opendj.ldap.LDAPConnectionFactoryImpl$CompletionHandlerAdapter.adaptConnectionException(LDAPConnectionFactoryImpl.java:187) at com.forgerock.opendj.ldap.LDAPConnectionFactoryImpl$CompletionHandlerAdapter.onFailure(LDAPConnectionFactoryImpl.java:194) at com.forgerock.opendj.ldap.LDAPConnectionFactoryImpl$CompletionHandlerAdapter.access$200(LDAPConnectionFactoryImpl.java:76) at com.forgerock.opendj.ldap.LDAPConnectionFactoryImpl$CompletionHandlerAdapter$2.failed(LDAPConnectionFactoryImpl.java:147) ... Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1300) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513) at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177) at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149) at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) at org.glassfish.grizzly.ssl.SSLConnectionContext.wrap(SSLConnectionContext.java:339) at org.glassfish.grizzly.ssl.SSLUtils.handshakeWrap(SSLUtils.java:303) at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:621) ... 17 more Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1439) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:878) at sun.security.ssl.Handshaker$1.run(Handshaker.java:818) at sun.security.ssl.Handshaker$1.run(Handshaker.java:816) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1237) at org.glassfish.grizzly.ssl.SSLUtils.executeDelegatedTask(SSLUtils.java:252) at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:632) ... 17 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1426) ... 25 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ... 31 moreYou may see a similar error in the OpenDJ-SDK log when configuring AM servers:
org.forgerock.opendj.ldap.LoadBalancer:06/08/2018 11:07:59:746 AM BST: Thread[OpenDJ LDAP SDK Client Selector(1) SelectorRunner,5,main]: TransactionId[de8dd168-1af6-4213-a6dc-56740aee391f-108] WARNING: Connection factory 'org.forgerock.opendj.ldap.LdapClientImpl@563521a3' is no longer operational: Connect Error: General SSLEngine problemA corresponding java.net.ConnectException may also be seen in the Configuration log when this happens; this reveals the connection was refused when the client attempted to establish a network session over HTTP, not HTTPS when configuring the servers:
WARNING: AMSetupUtils.getRemoteServerInfo() java.net.ConnectException: Connection refused (Connection refused) at java.net.PlainSocketImpl.socketConnect(Native Method) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) at java.net.Socket.connect(Socket.java:589) at sun.net.NetworkClient.doConnect(NetworkClient.java:178) at sun.net.www.http.HttpClient.openServer(HttpClient.java:463) at sun.net.www.http.HttpClient.openServer(HttpClient.java:558) at sun.net.www.http.HttpClient.(HttpClient.java:242) at sun.net.www.http.HttpClient.New(HttpClient.java:339) at sun.net.www.http.HttpClient.New(HttpClient.java:357) at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1220) ...Recent Changes
Configured DS to use LDAP secure access (LDAPS).
Changed the DS server certificate.
Causes
AM cannot connect to the secured DS because the JVM does not trust the DS server certificate.
Solution
You must import the DS server certificate into your AM truststore to allow the JVM to trust the DS server certificate.
See How do I import a certificate into the truststore used by AM (All versions) for SSL?, Prepare the truststore (AM 7 and later) and How do I make AM 6.x communicate with a secured LDAP server? for further information.
See Also
How do I troubleshoot connection via LDAPS issues in DS (All versions)?
FAQ: SSL/TLS secured connections in AM and Agents
Related Training
N/A
Related Issue Tracker IDs
N/A