SSL or connection errors (Java)

Problem

Your New Relic Java agent's log data shows SSL or connection errors.

See Configuring your SSL certificates for instructions on how to communicate with the New Relic collector over HTTPS.

Solution

Failures to connect via SSL typically appear early in the Java agent's log files. For example:

PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath
INFO: connection error: java.net.SocketException: java.lang.ClassNotFoundException: 
Cannot find the specified class com.ibm.websphere.ssl.protocol.SSLSocketFactory

If you see either of these errors, your JDK instance probably is using a customized trust store.

Recommendation: Add the DigiCert Global Root Certificate Authority (CA), from which New Relic's certificate is derived, to your trust store.

You can download the DigiCert Global Root CA from DigiCert (choose the "Download PEM" option).

To import the cert to your trust store, use this command, or see Oracle's Java SE documentation for keytool:

keytool -importcert -alias ca_alias -file ca_file.pem -keystore truststore.ts -storepass ts_password

Parameters include:

Parameter Description
ca_alias The alias you want to use in your trust store for the imported cert.
ca_file The file containing the cert you are adding.
truststore.ts The trust store to which the cert will be added.
ts_password The password used by truststore.ts.

For more help

If you need more help, check out these support and learning resources: