Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

AM (All versions) fails to connect to DS using a secured connection with an ERROR: Connection factory became offline

Last updated Apr 13, 2021

The purpose of this article is to provide assistance if AM fails to connect to DS using a secured connection (SSL/TLS enabled). You will see errors such as "ERROR: Connection factory became offline", "Connect Error: General SSLEngine problem" and "unable to find valid certification path to requested target" when this happens.


1 reader recommends this article

Symptoms

An error similar to the following is shown in the IdRepo log when AM fails to connect to DS:

LDAPUtils:03/16/2018 11:32:19:797 AM EST: Thread[localhost-startStop-1,5,main] ERROR: Connection factory became offline: AuthenticatedConnectionFactory(HeartBeatConnectionFactory(LDAPConnectionFactory(test.example.com:443)), SimpleBindRequest(name=cn=Directory Manager, authentication=simple, controls=[])) org.forgerock.opendj.ldap.ConnectionException: Connect Error: General SSLEngine problem   at org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:210)    at org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:172)    at org.forgerock.opendj.ldap.ErrorResultException.newErrorResult(ErrorResultException.java:142)    at com.forgerock.opendj.ldap.LDAPConnectionFactoryImpl$CompletionHandlerAdapter.adaptConnectionException(LDAPConnectionFactoryImpl.java:187)    at com.forgerock.opendj.ldap.LDAPConnectionFactoryImpl$CompletionHandlerAdapter.onFailure(LDAPConnectionFactoryImpl.java:194)    at com.forgerock.opendj.ldap.LDAPConnectionFactoryImpl$CompletionHandlerAdapter.access$200(LDAPConnectionFactoryImpl.java:76)    at com.forgerock.opendj.ldap.LDAPConnectionFactoryImpl$CompletionHandlerAdapter$2.failed(LDAPConnectionFactoryImpl.java:147) ... Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1300)    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)    at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1177)    at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1149)    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)    at org.glassfish.grizzly.ssl.SSLConnectionContext.wrap(SSLConnectionContext.java:339)    at org.glassfish.grizzly.ssl.SSLUtils.handshakeWrap(SSLUtils.java:303)    at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:621)    ... 17 more Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1683)    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1439)    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:878)    at sun.security.ssl.Handshaker$1.run(Handshaker.java:818)    at sun.security.ssl.Handshaker$1.run(Handshaker.java:816)    at java.security.AccessController.doPrivileged(Native Method)    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1237)    at org.glassfish.grizzly.ssl.SSLUtils.executeDelegatedTask(SSLUtils.java:252)    at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:632)    ... 17 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)    at sun.security.validator.Validator.validate(Validator.java:260)    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1426)    ... 25 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)    ... 31 more

You may see a similar error in the OpenDJ-SDK log when configuring AM servers:

org.forgerock.opendj.ldap.LoadBalancer:06/08/2018 11:07:59:746 AM BST: Thread[OpenDJ LDAP SDK Client Selector(1) SelectorRunner,5,main]: TransactionId[de8dd168-1af6-4213-a6dc-56740aee391f-108] WARNING: Connection factory 'org.forgerock.opendj.ldap.LdapClientImpl@563521a3' is no longer operational: Connect Error: General SSLEngine problem

A corresponding java.net.ConnectException may also be seen in the Configuration log when this happens; this reveals the connection was refused when the client attempted to establish a network session over HTTP, not HTTPS when configuring the servers:

WARNING: AMSetupUtils.getRemoteServerInfo() java.net.ConnectException: Connection refused (Connection refused)   at java.net.PlainSocketImpl.socketConnect(Native Method)    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)    at java.net.Socket.connect(Socket.java:589)    at sun.net.NetworkClient.doConnect(NetworkClient.java:178)    at sun.net.www.http.HttpClient.openServer(HttpClient.java:463)    at sun.net.www.http.HttpClient.openServer(HttpClient.java:558)    at sun.net.www.http.HttpClient.(HttpClient.java:242)    at sun.net.www.http.HttpClient.New(HttpClient.java:339)    at sun.net.www.http.HttpClient.New(HttpClient.java:357)    at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1220) ...

Recent Changes

Configured DS to use LDAP secure access (LDAPS).

Changed the DS server certificate.

Causes

AM cannot connect to the secured DS because the JVM does not trust the DS server certificate.

Solution

You must import the DS server certificate into your AM truststore to allow the JVM to trust the DS server certificate.

See How do I import a certificate into the truststore used by AM (All versions) for SSL?Installation Guide › Preparing a Truststore (AM 7 and later) and How do I make AM 5.x and 6.x communicate with a secured LDAP server? for further information.

See Also

AM 5.x or 6.x fails to connect to the user data store when anonymous access is disabled in DS

How do I troubleshoot connection via LDAPS issues in DS (All versions)?

How do I use externally created SSL keys with DS 5.x or 6.x?

FAQ: SSL/TLS secured connections in AM and Agents

SSL in AM and Agents

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.