SSL or connection errors (Java)

Problem

Your New Relic Java agent's log data shows SSL or connection errors.

Solution

Failures to connect via SSL will generally show up very early in the Java agent's log files. For example:

PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath

or

INFO: connection error: java.net.SocketException: java.lang.ClassNotFoundException: 
Cannot find the specified class com.ibm.websphere.ssl.protocol.SSLSocketFactory

If you encounter one of these errors, your JDK instance is probably using a customized trust store. New Relic recommends that you merge the Java default trust store with the application's store because the default trust store contains the GeoTrust root CA (Certificate Authority) from which our certificate is derived.

To merge the truststore, use the following command:

keytool -import -alias ca_alias -file ca_file.pem -keystore truststore.ts -storepass the_password

Parameters include:

Parameter Description
ca_alias The tag of the particular GeoTrust root CA.
ca_file The Java default trust store file that contains the ca_alias.
truststore.ts Where the ca_alias will be added.
the_password Changed to the password for the trust store truststore.ts.

For more help

Additional documentation resources include:

Join the discussion about Java monitoring in the New Relic Online Technical Community! The Technical Community is a public platform to discuss and troubleshoot your New Relic toolset.

If you need additional help, get support at support.newrelic.com.