Hello,

I’m running some tests with the broker in the Software (Docker) version using SAP Cloud Integration with the Advanced Event Mesh adapter.

It works for communication using the SMF protocol without a secure connection (SSL).

When communicating with the SMF protocol and a secure connection (SSL), the following error is displayed when deploying iFlow:

[CONTENT][CONTENT_DEPLOY][InstanceError] : {“message”:“EXCEPTION”,“parameters”:[“org.apache.camel.RuntimeCamelException: com.solacesystems.jcsmp.JCSMPTransportException: ValidatorException - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target”],“childMessageInstances”:[{“message”:“CAUSE”,“parameters”:["com.solacesystems.jcsmp.JCSMPTransportException: ValidatorException - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuild

Logging into the Broker client, the error is displayed Below:

event: SYSTEM: SYSTEM_SSL_CONNECTION_REJECTED: - - SSL Connection rejected: reason (ssl/tls alert certificate unknown); connection to XXXXX:5
5443 from YYYYY:41984

The broker was installed on an EC2 machine in AWS, and the communication ports were opened to send and receive messages/events.

To enable the SSL connection, a self-signed certificate was created:

openssl req -x509 -nodes -days 3650 \

-newkey rsa:2048 \

-keyout server.key \

-out server.crt \

-config san.cnf \

-extensions req_ext

cat server.crt server.key > server.pem

Certificate imported and enabled in the Broker:

docker exec -it solace /usr/sw/loads/currentload/bin/cli -A

enable

configure

ssl

server-certificate server.pem

Info:

Flags Legend:
TP - Transport
S - SSL (Y=Yes, N=No, -=not-applicable)
C - Compressed (Y=Yes, N=No, -=not-applicable)
VRF - VRF (Mgmt=management, MsgBB=msg-backbone)
A - Admin State (U=Up, D=Down, -=not-applicable)
O - Oper State (U=Up, D=Down, -=not-applicable)

Service TP S C VRF MsgVpn Port A O Failed Reason

SMF TCP N N MsgBB 55555 U U
SMF TCP N Y MsgBB 55003 U U
SMF TCP Y N MsgBB 55443 U U
REST WEB N - MsgBB default 9000 U U
REST WEB Y - MsgBB default 9443 U U
SMF WEB N - MsgBB 8008 U U
SMF WEB Y - MsgBB 1443 U U
MQTT TCP N - MsgBB default 1883 U U
—Press any key to continue, or `q’ to quit—
MQTT TCP Y - MsgBB default 8883 U U
MQTT WEB N - MsgBB default 8000 U U
MQTT WEB Y - MsgBB default 8443 U U
AMQP TCP Y - MsgBB U D Not Permitted
AMQP TCP N - MsgBB default 5672 U U
AMQP TCP Y - MsgBB default 5671 U U

I would like to understand the reason for the connection refusal, given that the certificate was imported into SAP Cloud Integration.

Thanks

Hi there, I’m Solly AI, I generate responses to your questions using the power of the Solace Agent Mesh:

Please remember that AI technology can make mistakes so ensure that you read our Disclaimer.

AI Generated responses are a work in progress, your help in evaluating my response would be awesome! If my response makes sense, please mark it as a solution or give a . If my response doesn’t make sense for your topic, please react to it with a .

Looking at the documentation, here’s how to resolve SSL connection issues with a self-signed certificate on a Solace software event broker running in Docker when connecting from SAP Cloud Integration:

The key steps involve:

1. Generate and configure the server certificate:

   • Generate a self-signed certificate containing both private key and certificate in PEM format
   • Copy the certificate file to /usr/sw/jail/certs directory in the Docker container
   • Configure the certificate using the Solace CLI

2. Configure SSL on the event broker:

   • Enable SSL service for the Message VPN
   • Set the server certificate for use
   • Configure client certificate authentication if required

3. Client-side configuration:

   • Import the server’s certificate into SAP Cloud Integration’s truststore
   • Configure the client to use SSL/TLS when connecting

The documentation shows this needs to be done in a specific order and format to work properly. The most common issues are:

• Invalid certificate format (needs to be PEM with both private key and certificate)
• Certificate not properly installed in the correct location
• SSL service not enabled on the event broker
• Client truststore not configured with the server certificate

Here are the relevant documentation links for reference:

• Two-way SSL Authentication for REST
• Managing Server Certificates

For the specific steps and commands, please refer to the documentation links above as the exact configuration may vary based on your environment and requirements.

Settings already reviewed and implemented, the problem persists.

Hi @toolivei,

Cert issues are always the most fun to figure out .

Looking at this part of the error it reads to me like the iFlow isn’t able to properly find the path to the keystore/truststore. Can you troubleshoot that end of things a bit further?

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuild

On the solace broker side of things try to connect to your broker using openssl and see if it is presenting the cert info that you’d expect.The command should be something like this:

openssl s_client -connect yourhost:55443

Hope that helps!

Hi @marc !!!

Error that occurs when deploying to SAP Cloud Integration:

2025-09-15 01:21:20#+0000#INFO#com.solacesystems.common.util.SNIUtil#anonymous#Context_10_ReactorThread-11-1#com.solace.connector.sapis.pubsubplus-connector-sap-is#na#na#na#na#Server Name Indication (SNI) automatically applied by using provided hostname#-#10.0.201.3#0
2025-09-15 01:21:20#+0000#INFO#com.solacesystems.jcsmp.protocol.impl.TcpClientChannel#anonymous#Blueprint Event Dispatcher: 1#com.solace.connector.sapis.pubsubplus-connector-sap-is#na#na#na#na#Client-9: Connection attempt failed to host ‘host_broker’ ConnectException com.solacesystems.jcsmp.JCSMPTransportException: ValidatorException - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target cause: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ((Client name: e050fe65-fc04-4af1-71fb-d891/7/a3e79933b92afd5d0009/gd7IoEJV5c ) - )#-#10.0.201.3#0
2025-09-15 01:21:23#+0000#INFO#com.solacesystems.jcsmp.protocol.impl.TcpClientChannel#anonymous#Blueprint Event Dispatcher: 1#com.solace.connector.sapis.pubsubplus-connector-sap-is#na#na#na#na#Client-9: Channel Closed (smfclient 9)#-#10.0.137.60#1
2025-09-15 01:21:23#+0000#ERROR#org.apache.camel.impl.engine.AbstractCamelContext#anonymous#Blueprint Event Dispatcher: 1#org.apache.camel.camel-base-engine#na#na#na#na#Error starting CamelContext (ConsumeQueueAdvEventMeshNumenDev) due to exception thrown: com.solacesystems.jcsmp.JCSMPTransportException: ValidatorException - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target#-#

Client Broker => show log system

event: SYSTEM: SYSTEM_SSL_CONNECTION_REJECTED: - - SSL Connection rejected: reason (ssl/tls alert certificate unknown); connection to xxxxxxxxxxxxx:5 5443 from yyyyyyyyyyy:58164

Below is the result of the command:

openssl s_client -connect yourhost:55443

No client certificate CA names sent

Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 1502 bytes and written 452 bytes

Verification error: self-signed certificate

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)

405751800D7E0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:317:

Another information, the AMQP protocol in the SSL connection works, port 5671

The problem is occurring with the SMF protocol, Advanced Event Mesh adapter

Thanks

I’m not super familiar with SAP CI, but in order to make this SSL connection work, the CA/root certs you used to sign the cert for your broker ssl must be imported into CI’s trust store or added into somewhere for this connection so that it can trust your broker’s cert. Please check the SAP CI documentation on how to import a custom CA.

The certificate was imported into SAP CI. The issue occurs with the SMF protocol. It works with the AMQP protocol, which also uses SSL.

Are there any restrictions for self-signed certificates using the SMF protocol?

I don’t think so…We are using our private CA to sign the broker cert it’s working as expected.

@toolivei I also think the issue is on the CI side from the error message, but let’s see if we can isolate the issue to the broker config or on the CI side by using a different client.

Can you try to download sdkperf_java and see if it can connect using your truststore. I think this command should do the trick. It will connect using TLS and your truststore and send 1 message to test/topic.

sdkperf_java -cip=<broker_host>:55443 -cu=<username>@<vpn> -cp=<password> -tls -tst=<path_to_truststore> -tsp=<truststore_password> -mn=1 -ptl=test/topic

From Chatgpt:

Import into SAP CI

1. In your CI tenant: Monitor → Security Material → Keystore (or Operations View → Manage Keystore).

2. Add → Certificate.

3. Upload the PEM.

   • If you have a chain, upload each intermediate/root separately (root first is fine; order doesn’t matter once stored).

4. Confirm it shows as Trusted.

Tip: Importing the CA means you won’t need to reimport when the Solace server cert renews.

If your case you might not have CA, so that cert should be fine.

The certificate has already been imported into SAP CI. I don't have a CA. The certificate installed on the broker is self-signed.

As I mentioned, the AMQP protocol using SSL works and the certificate is being validated. The problem is the SMF protocol.

Thanks

I tested it using tool SDKPerf. The first time it didn't work, the broker was returning the same error. So I imported the self-signed certificate from the broker's server into Domain Certificate Authorities, and it worked.

In short, besides importing the certificate to the broker's server, I also had to import it into Domain Certificate Authorities.

In the case of SAP CI, it's still refusing the connection. The same certificate I imported into Java for use with tool SDKPerf is also in SAP CI.

Thank you!!!

Okay, well at least we’ve made progress! So now we know the broker is configured correctly and we need to troubleshoot on the CI side. Unfortunately I’m not familiar with CI. Does it show you what certificates are in the truststore?

It certainly helped a lot. There's a section in the CI to store certificates, and I've already stored it there.

Well, I need to investigate because the problem only occurs with the CI. I'll let you know when I have any updates.

Thank you very much!!!