After installing a new certificate into TDV (TIBCO Data Virtualization), the following message appears in cs_server.log:

------
ERROR [main] 2021-05-05 06:28:38.498 -0700 DrillEngine -
com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
------

After installing a new TIBCO Data Virtualization certificate, the Drill Engine writes "PKIX path building failed" to cs_server.log

The Apache Drill Engine opens an SSL connection to the TDV server. To open the SSL connection, it searches for the certificate in the TDV server truststore file.

In this context, the error means that the Drill Engine was unable to find the certificate in the truststore. This will not stop TDV from servicing queries, as if TDV encounters this error, it will fall back to using the classic Query Engine (instead of the Drill Engine) to generate query plans. Therefore, queries will continue to work regardless of the error. Also, unless TDV has been explicitly configured to use the Drill Engine, TDV will use the classic Query Engine by default.

To resolve the error, the certificate needs to be imported into the server truststore file. The steps to carry out the import are below.

1.   Find the truststore file location.

There are two ways to do this.

The first is to open Studio, and go to the configuration setting  Administration >> Configuration >> Server >> Communications >> Truststore File Location (On Server Restart).  

      

The second approach is to look for a line in cs_server.log that contains the words "Starting Drill using", as shown in the example below:

------
INFO [main] 2021-05-05 06:28:05.215 -0700 DrillEngine - Starting Drill using: [./drillbit.sh,start,-Djavax.net.ssl.keyStore=/tibco/tdv_8.4/conf/server/security/cis_server.jks -Djavax.net.ssl.trustStore= /tibco/tdv_8.4/conf/server/security/cis_server_truststore.jks -Djavax.net.ssl.keyStoreAlias=cis_server ]
------

The value of -Djavax.net.ssl.trustStore in this line is the truststore file location.

2.   Obtain the TDV certificate as a certificate file.

The easiest way to do this is:

• Open the TDV Web Manager by entering the HTTPS url in a browser          

                  https:// <hostname>:<base port + 2>

• Use the browser's export function to save the certificate as an X.509 file. Below is an example using the Microsoft Edge browser.   

                

IMPORTANT: If this is a certificate chain, all the certificates in the chain need to be exported, for instance:
                        -   ROOT.cer
                        -   INTERMEDIATE.cer
                        -   FINAL.cer

3.   Import the .cer file(s) into the TDV truststore file.

The keytool utility shipped with TDV may be used for the purpose.

Example

/opt/TIBCO/TDV_Server_8.4/jdk/bin/keytool -import -trustcacerts -alias cis_server_root -file ROOT.cer  -keystore /opt/TIBCO/TDV_Server_8.4/conf/server/security/cis_server_truststore.jks -storepass changeit

/opt/TIBCO/TDV_Server_8.4/jdk/bin/keytool -import -trustcacerts -alias cis_server_intermediate -file INTERMEDIATE.cer  -keystore /opt/TIBCO/TDV_Server_8.4/conf/server/security/cis_server_truststore.jks -storepass changeit

/opt/TIBCO/TDV_Server_8.4/jdk/bin/keytool -import -trustcacerts -alias cis_server_final  -file FINAL.cer -keystore /opt/TIBCO/TDV_Server_8.4/conf/server/security/cis_server_truststore.jks -storepass changeit

4.   Restart the TDV server.

A restart is needed in order to reload the changes into memory. It is sufficient to only restart the TDV server (i.e. there is no need to restart the Postgres Repository or Cache).