Troubleshooting
Problem
User clicks 'Maintain - Jobs - Define'. User receives error message. Similar errors occur when using other Java-based Controller functionality.
Symptom
Details Example #1
Details Example #2 (from Controller 8.x)
Error
Error creating bean with name 'idGenerator' defined in class path resource [com/ibm/cognos/ccr/common/server-dao-config.xml]: Cannot resolve reference to bean 'wsClient' while setting bean property 'wsclient'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'wsClient' defined in class path resource [com...
...WebServiceException: Failed to access the WSDL at: https://servername:443/cognos8/controllerserver/ccrws.asmx?wsdl. It failed with:
com.ibm.jsse2.util.g: PKIX path building failed: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target.
<...>
[OK]
Cause
The message 'Error creating bean with name 'idGenerator' defined in class path resource' is a generic error.
In this specific scenario, the cause is that the Java program does not have access to a certificate to 'trust' the HTTPS/SSL connection. In turn, the cause of this is because the customer is using a self-created/self-signed SSL certificate (instead of paying for/using one of the 'trusted' providers of such certificates, such as Verisign).
- There are several possible causes for this generic error.
- Instead, the important (unique) parts of the error are 'https' and the message 'unable to find valid certification path to requested target'.
In this specific scenario, the cause is that the Java program does not have access to a certificate to 'trust' the HTTPS/SSL connection. In turn, the cause of this is because the customer is using a self-created/self-signed SSL certificate (instead of paying for/using one of the 'trusted' providers of such certificates, such as Verisign).
Environment
Customer has enabled HTTPS / SSL encryption between client device and application server.
Resolving The Problem
Fix:
1. Logon to the Controller application server (where the SSL certificate has been installed already)
2. Launch Internet Explorer
3. Click "Tools - Internet Options"
4. Select tab "Content"
5. Click "Certificates"
6. Depending upon where you installed the certificate into IE, select the correct tab.
7. Highlight the relevant (self-signed) certificate, and click "Export..."
8. Click "Next", "Next" and then select "DER encoded binary X.509 (.CER)" then "Next"
9. Type in a sensible filename (for example 'mycertificate.cer') and location (for example C:\TEMP), and click "Next" then "Finish"
Part Two - Install the certificate into the client JRE
The following needs to be done on each and every client device (evey device that has the Controller classic client installed):
1. Launch a command prompt (Start - Run - "CMD" <Enter>)
2. Change directory to where the user's integration client's JRE 'keytool.exe' file has been installed.
3. Locate the folders where a file 'cacerts' exists.
Example (Controller 10.4.1 on Windows 10)
keytool -import -alias CognosController -file C:\temp\mycertificate.cer -keystore "C:\Program Files\IBM\IBM Cognos Controller Local Client\Integration\jre\lib\security\cacerts"
===================================================
NOTES:
When prompted, enter the password.
When asked if want to trust the certificate, type: y <enter>
===================================================
5. Restart the client and test.
Install the SSL certificate into the Java Runtime Environment (JRE) on the client, so that the JRE (used by the Controller client) trusts the self signed certificate.
Steps
Part One - Export the certificate from Internet Explorer:1. Logon to the Controller application server (where the SSL certificate has been installed already)
2. Launch Internet Explorer
3. Click "Tools - Internet Options"
4. Select tab "Content"
5. Click "Certificates"
6. Depending upon where you installed the certificate into IE, select the correct tab.
- TIP: Probably this will be inside "Trusted Root Certification Authorities".
7. Highlight the relevant (self-signed) certificate, and click "Export..."
8. Click "Next", "Next" and then select "DER encoded binary X.509 (.CER)" then "Next"
9. Type in a sensible filename (for example 'mycertificate.cer') and location (for example C:\TEMP), and click "Next" then "Finish"
Part Two - Install the certificate into the client JRE
The following needs to be done on each and every client device (evey device that has the Controller classic client installed):
1. Launch a command prompt (Start - Run - "CMD" <Enter>)
2. Change directory to where the user's integration client's JRE 'keytool.exe' file has been installed.
- This path/folder location varies depending on environment and Controller version.
cd C:\Program Files\IBM\IBM Cognos Controller Local Client\integration\jre\bin
3. Locate the folders where a file 'cacerts' exists.
- This path/folder location varies depending on environment and Controller version.
For example, if using Controller 10.4.1 'local' client, installed in the default location on Windows 10, then this is located here:
4. Import the CER file into the CACERTS file, by typing in command(s) similar to the following.
C:\Program Files\IBM\IBM Cognos Controller Local Client\Integration\jre\lib\security
4. Import the CER file into the CACERTS file, by typing in command(s) similar to the following.
- IMPORTANT: You must change the location of the ".CER" and "cacerts" files as appropriate.
Example (Controller 10.4.1 on Windows 10)
keytool -import -alias CognosController -file C:\temp\mycertificate.cer -keystore "C:\Program Files\IBM\IBM Cognos Controller Local Client\Integration\jre\lib\security\cacerts"
===================================================
NOTES:
When prompted, enter the password.
- TIP: By default, the password is: changeit
When asked if want to trust the certificate, type: y <enter>
- For example:
===================================================
5. Restart the client and test.
Workaround:
Either:
- Replace the SSL certificate (used on the Controller application server's Microsoft IIS website) with a trusted commercial (not self-signed) certificate, such as one from Verisign or GoDaddy.com.
- or reconfigure Controller to use HTTP (not HTTPS) connections between client device and Controller application server.
Related Information
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"Component":"Controller","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
26 September 2019
UID
swg21495669