Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!

Certificate validation fails during a VA scan against PostgreSQL

No ratings
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
PadmaPriya
Support
Support

Certificate validation fails during a VA scan against PostgreSQL

Last Update:

May 10, 2022 3:15:54 PM

Updated By:

Jamie_Gregory

Created date:

May 6, 2021 2:05:15 PM

Issue:

When you run a VA scan or test VA credentials against a PostgreSQL instance, you see the following error:

Please Check Connection Parameters Cannot create PoolableConnectionFactory (The connection attempt failed.)

 

When you look at dbs.log, you also see the following:

org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (The connection attempt failed.)

Caused by: org.postgresql.util.PSQLException: The connection attempt failed.
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

Environment:

  • PostgreSQL 11.x or later

Cause:

PostgreSQL 11 and later present the public key certificate in a format that is incompatible with the Database Security Server default settings.

 

Solution:

You have two options to fix the issue:


Option 1 (recommended):
Extract the public key certificate from PostgreSQL and import it to Database Security Server’s Java KeyStore file.

  1. Obtain the certificate in X.509 format with DER encoding.
    To convert a certificate file to this encoding, use the following OpenSSL command (where server.crt is the public key certificate used with PostgreSQL):
    openssl x509 -in server.crt -out server.crt.der -outform der
     
  2. Import the certificate to Database Security Server’s Java KeyStore file.
    NOTE: On both platforms, the keystore password is changeit.
    • On Windows:
      1. Open a command-line session.
      2. Type <DBSecInstallDir>\java\zulu_jre8_0_181\bin\keytool -import -alias postgres -file server.crt.der -keystore <DBSecInstallDir>\java\zulu_jre8_0_181\lib\security\cacerts and press Enter.
    • On Linux:
      1. Open a command-line session.
      2. Type <DBSecInstallDir>/jre/bin/keytool -import -alias postgres -file server.crt.der -keystore <DBSecInstallDir>/jre/lib/security/cacerts and press Enter.
         
  1. Restart Database Security Server.

Option 2 (not recommended):
NOTE: This change disables public key certificate validation for this connection, which is a potential security risk.

  1. Open the Database Security Server console.
  2. For the appropriate DBMS, click DBMSsConfiguration.
  3. Below the VA credentials, expand Advanced.
  4. In Connection Properties, add the following strings on their own lines:
    ssl=true
    sslfactory=org.postgresql.ssl.NonValidatingFactory
    sslmode=required
     
  5. Save the changes and test again.
432 Views
Was this article helpful? Yes No
Version history
Last update:
‎2022-05-10 03:15 PM
Updated by:
Community Manager