Credential Provider unable to retrieve password from CyberArk safe

Receiving the following error when trying to use the Credential Path option for Password value in an Oracle Direct Connector source

“sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target”

I have configured my CCP (cyberark) in my SailPoint ISC tenant alongside my company’s CyberArk team. We have confirmed we meet all the prereqs (source and CCP are associated with the same virtual appliance cluster, this is a VA type source, we have uploaded the PFX (which contains all extended attributes and is password protected) through the CCP config, and all of my VAs are in the Allowed Machines IP list on CyberArk Access Manager). The following is my CCP config with fake names:

Credential Provider Name: CYBERARKCCP.COMPANY.net
Host URL: https://SERVERNAME.COMPANY.net/AIMWebService/

The following is my Credential Path, which I have double and triple checked that all the param/value pairs are 100% correct and I used the URLEncoding link to make sure encoding was done:

secrets://CYBERARKCCP.COMPANY.net/AppID%3DNAME_OF_APPID%26Safe%3DNAME_OF_SAFE%26Object%3DNAME_OF_ACCOUNT/Content

Is your cyberark instance is on-premise or cloud
?

On premises. The VAs have been added to the Allowed Lists within CyberArk. We are currently leveraging credentially retrieving within our IdentityIQ environment without issue via CredentialConfig XML connectivity (the AIM service is installed on those RHEL IIQ application servers). So I am 100% confident our AppID, Object, Safe values are correct.

I feel like this is issue with Cert, Can you get the host cert(where cyberark is installed) and install in VA ? Once installed restart the ccg service and then try .

I received the pfx file from our CyberArk team and the password set for that file. I added that pfx file to the Credential Provider configuration. This was done several weeks ago.

connectionsettings771×338 26.8 KB

pfx797×355 24.6 KB

I assume by host cert you are speaking to the pfx file? I have told by CyberArk team that this pfx file is 100% correct. I’m not sure what you mean by install in the VA? My assumption is the Upload Files section of the Credential Provider setup does this for me. Would there be some manual folder I should be copying the pfx to on the VAs?

Can you check in this folder if the uploaded cert is available ? - /home/sailpoint/certificates

Also if you’re using something like an internal cert for the CyberArk instance itself that you add it to the certs on the VA.

There was nothing in the /home/sailpoint/certificates/ directory on any of my 4 VA dev nodes. I copied the password protected pfx into that directory on all 4 VA dev nodes, ran sudo systemctl stop ccg then sudo systemctl start ccg, ran the aggregation and received the same error in the ccg.log file (I have debug turned on for the VA cluster). Visually I’ve also attached the error that shows up in the UI with my company specific values redacted.

Screenshot 2025-06-18 143648600×387 40.3 KB

Error in ccg.log with company specific pieces replaced
{“exception”:{“stacktrace”:“com.sailpoint.mantisclient.exception.baserestclient.BaseRestClientConnectionFailedException: Unable to execute request to URI https://SERVERNAME.COMPANY.net/AIMWebService/api/Accounts?Safe=SAFE&Object=OBJECTNAME&AppID=APPID\n\tat com.sailpoint.mantisclient.BaseRestClient.execute(BaseRestClient.java:775)\n\tat com.sailpoint.mantisclient.BaseRestClient.get(BaseRestClient.java:194)\n\tat com.sailpoint.credential.provider.impl.CyberArkCentralCredentialProvider.lambda$getCredentials$0(CyberArkCentralCredentialProvider.java:105)\n\tat java.base/java.util.ArrayList.forEach(ArrayList.java:1541)\n\tat com.sailpoint.credential.provider.impl.CyberArkCentralCredentialProvider.getCredentials(CyberArkCentralCredentialProvider.java:71)\n\tat com.sailpoint.credential.retriever.impl.CcgConnectorCredentialRetriever.retrieveCredentials(CcgConnectorCredentialRetriever.java:242)\n\tat com.sailpoint.credential.retriever.impl.CcgConnectorCredentialRetriever.getCredentials(CcgConnectorCredentialRetriever.java:223)\n\tat com.sailpoint.credential.retriever.impl.CcgConnectorCredentialRetriever.retrieveCredentials(CcgConnectorCredentialRetriever.java:137)\n\tat com.sailpoint.ccg.credential.provider.util.CredProviderUtil.getCreds(CredProviderUtil.java:97)\n\tat com.sailpoint.ccg.credential.provider.util.CredProviderUtil.fetchLatestCredsAndUpdateSource(CredProviderUtil.java:57)\n\tat com.sailpoint.ccg.cloud.container.Container.getConnector(Container.java:311)\n\tat com.sailpoint.ccg.cloud.container.ContainerIntegration.getConnector(ContainerIntegration.java:91)\n\tat com.sailpoint.ccg.handler.MessageContext.getConnector(MessageContext.java:97)\n\tat com.sailpoint.ccg.aggregation.service.extract.CcgExtractionContextFactory.createForAccount(CcgExtractionContextFactory.java:69)\n\tat com.sailpoint.aggregation.server.service.SourceAggregator.aggregateAccounts(SourceAggregator.java:63)\n\tat com.sailpoint.ccg.handler.StreamingAggregationHandler.invoke(StreamingAggregationHandler.java:190)\n\tat sailpoint.gateway.accessiq.CcgPipelineMessageHandler.handleMessage_aroundBody0(CcgPipelineMessageHandler.java:45)\n\tat sailpoint.gateway.accessiq.CcgPipelineMessageHandler$AjcClosure1.run(CcgPipelineMessageHandler.java:1)\n\tat org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:167)\n\tat com.sailpoint.tracing.otel.TracedAspect.lambda$traceExecution$0(TracedAspect.java:38)\n\tat com.sailpoint.tracing.otel.GlobalTracer.trace(GlobalTracer.java:170)\n\tat com.sailpoint.tracing.otel.GlobalTracer.trace(GlobalTracer.java:143)\n\tat com.sailpoint.tracing.otel.TracedAspect.traceExecution(TracedAspect.java:40)\n\tat sailpoint.gateway.accessiq.CcgPipelineMessageHandler.handleMessage(CcgPipelineMessageHandler.java:37)\n\tat com.sailpoint.pipeline.server.PipelineServer$InboundQueueListener$MessageHandler.run(PipelineServer.java:382)\n\tat java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)\n\tat java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)\n\tat java.base/java.lang.Thread.run(Thread.java:829)\nCaused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\n\tat java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)\n\tat java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:366)\n\tat java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)\n\tat java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:304)\n\tat java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)\n\tat java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)\n\tat java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)\n\tat java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)\n\tat java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)\n\tat java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)\n\tat java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:189)\n\tat java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)\n\tat java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1511)\n\tat java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421)\n\tat java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:456)\n\tat java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:427)\n\tat org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)\n\tat org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)\n\tat org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)\n\tat org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)\n\tat org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)\n\tat org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)\n\tat org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)\n\tat org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)\n\tat org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)\n\tat org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)\n\tat org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)\n\tat com.sailpoint.mantisclient.BaseRestClient.executeRequest(BaseRestClient.java:804)\n\tat com.sailpoint.mantisclient.BaseRestClient.execute(BaseRestClient.java:760)\n\t… 29 more\nCaused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\n\tat java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)\n\tat java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)\n\tat java.base/sun.security.validator.Validator.validate(Validator.java:264)\n\tat java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)\n\tat java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)\n\tat java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)\n\tat java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)\n\t… 53 more\nCaused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target\n\tat java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)\n\tat java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)\n\tat java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)\n\tat java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)\n\t… 59 more\n”,“exception_class”:“com.sailpoint.mantisclient.exception.baserestclient.BaseRestClientConnectionFailedException”,“exception_message”:“Unable to execute request to URI https://SERVERNAME.COMPANY.net/AIMWebService/api/Accounts?Safe=SAFE&Object=OBJECTNAME&AppID=APPID”},“stack”:“ccg”,“pod”:“stg02-useast1”,“connector-logging”:“164”,“clusterId”:“8f0caad380c14ddc80f53ee57a5b82c5”,“utilities”:“1.12.2”,“buildNumber”:“1077”,“apiUsername”:“225478aa-676a-42ed-bdf6-42224c787651”,“orgType”:“”,“file”:“CyberArkCentralCredentialProvider.java”,“encryption”:“1.12.2”,“messageType”:“streaming-aggregation”,“connector-bundle-identityiq”:“257”,“line_number”:144,“@version”:1,“cloud-modules-api”:“2.1.2”,“logger_name”:“com.sailpoint.credential.provider.impl.CyberArkCentralCredentialProvider”,“mantis-client”:“1.12.2”,“class”:“com.sailpoint.credential.provider.impl.CyberArkCentralCredentialProvider”,“atlas-api”:“2.7.1”,“va-gateway-client”:“60”,“connector-bundle-utilities”:“10”,“tracing”:“1.12.2”,“clientId”:“225478aa-676a-42ed-bdf6-42224c787651”,“source_host”:“3c405dafdf21”,“method”:“lambda$getCredentials$0”,“org”:“genworth-sb”,“level”:“ERROR”,“IdentityIQ”:“8.3p4 Build 4cd878af669-20241202-173620”,“message”:“Exception while fetching secret from URL : api/Accounts”,“pipeline”:“1.12.2”,“@timestamp”:“2025-06-18T18:28:08.024Z”,“thread_name”:“pool-6-thread-4”,“atlas-util”:“2.7.1”,“metrics”:“1.10.5”,“region”:“us-east-1”,“AppType”:“CyberArk Central Credential Provider (CCP)”,“Application”:“CyberArk”,“request_id”:“f084a9c9ef484828817c8ec95a84fba0”,“queue”:“stg02-useast1-genworth-sb-cluster-8f0caad380c1”,“SCIM Common”:“8.0 Build 00b1f252d1b-20200225-190809”}
{“exception”:{“stacktrace”:“java.lang.RuntimeException: Error while fetching secret secrets://CYBERARKCCP.COMPANY.net/AppID%3DAPPID%26Safe%3DSAFE%26Object%3DOBJECTNAME/Content : Unable to execute request to URI https://SERVERNAME.COMPANY.net/AIMWebService/api/Accounts?Safe=SAFE&Object=OBJECTNAME&AppID=APPID, Please verify provided secret expression\n\tat com.sailpoint.credential.retriever.impl.CcgConnectorCredentialRetriever.getCredentials(CcgConnectorCredentialRetriever.java:228)\n\tat com.sailpoint.credential.retriever.impl.CcgConnectorCredentialRetriever.retrieveCredentials(CcgConnectorCredentialRetriever.java:137)\n\tat com.sailpoint.ccg.credential.provider.util.CredProviderUtil.getCreds(CredProviderUtil.java:97)\n\tat com.sailpoint.ccg.credential.provider.util.CredProviderUtil.fetchLatestCredsAndUpdateSource(CredProviderUtil.java:57)\n\tat com.sailpoint.ccg.cloud.container.Container.getConnector(Container.java:311)\n\tat com.sailpoint.ccg.cloud.container.ContainerIntegration.getConnector(ContainerIntegration.java:91)\n\tat com.sailpoint.ccg.handler.MessageContext.getConnector(MessageContext.java:97)\n\tat com.sailpoint.ccg.aggregation.service.extract.CcgExtractionContextFactory.createForAccount(CcgExtractionContextFactory.java:69)\n\tat com.sailpoint.aggregation.server.service.SourceAggregator.aggregateAccounts(SourceAggregator.java:63)\n\tat com.sailpoint.ccg.handler.StreamingAggregationHandler.invoke(StreamingAggregationHandler.java:190)\n\tat sailpoint.gateway.accessiq.CcgPipelineMessageHandler.handleMessage_aroundBody0(CcgPipelineMessageHandler.java:45)\n\tat sailpoint.gateway.accessiq.CcgPipelineMessageHandler$AjcClosure1.run(CcgPipelineMessageHandler.java:1)\n\tat org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:167)\n\tat com.sailpoint.tracing.otel.TracedAspect.lambda$traceExecution$0(TracedAspect.java:38)\n\tat com.sailpoint.tracing.otel.GlobalTracer.trace(GlobalTracer.java:170)\n\tat com.sailpoint.tracing.otel.GlobalTracer.trace(GlobalTracer.java:143)\n\tat com.sailpoint.tracing.otel.TracedAspect.traceExecution(TracedAspect.java:40)\n\tat sailpoint.gateway.accessiq.CcgPipelineMessageHandler.handleMessage(CcgPipelineMessageHandler.java:37)\n\tat com.sailpoint.pipeline.server.PipelineServer$InboundQueueListener$MessageHandler.run(PipelineServer.java:382)\n\tat java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)\n\tat java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)\n\tat java.base/java.lang.Thread.run(Thread.java:829)\n”,“exception_class”:“java.lang.RuntimeException”,“exception_message”:“Error while fetching secret secrets://CYBERARKCCP.COMPANY.net/AppID%3DAPPID%26Safe%3DSAFE%26Object%3DOBJECTNAME/Content : Unable to execute request to URI https://SERVERNAME.COMPANY.net/AIMWebService/api/Accounts?Safe=SAFE&Object=OBJECTNAME&AppID=APPID, Please verify provided secret expression”},“stack”:“ccg”,“pod”:“stg02-useast1”,“connector-logging”:“164”,“clusterId”:“8f0caad380c14ddc80f53ee57a5b82c5”,“utilities”:“1.12.2”,“buildNumber”:“1077”,“apiUsername”:“225478aa-676a-42ed-bdf6-42224c787651”,“orgType”:“”,“file”:“StreamingAggregationHandler.java”,“encryption”:“1.12.2”,“messageType”:“streaming-aggregation”,“connector-bundle-identityiq”:“257”,“line_number”:392,“@version”:1,“cloud-modules-api”:“2.1.2”,“logger_name”:“com.sailpoint.ccg.handler.StreamingAggregationHandler”,“mantis-client”:“1.12.2”,“class”:“com.sailpoint.ccg.handler.StreamingAggregationHandler”,“atlas-api”:“2.7.1”,“va-gateway-client”:“60”,“connector-bundle-utilities”:“10”,“tracing”:“1.12.2”,“clientId”:“225478aa-676a-42ed-bdf6-42224c787651”,“source_host”:“3c405dafdf21”,“method”:“logAggregationStats”,“org”:“genworth-sb”,“level”:“ERROR”,“IdentityIQ”:“8.3p4 Build 4cd878af669-20241202-173620”,“message”:“Error in aggregation: java.lang.RuntimeException: Error while fetching secret secrets://CYBERARKCCP.COMPANY.net/AppID%3DAPPID%26Safe%3DSAFE%26Object%3DOBJECTNAME/Content : Unable to execute request to URI https://SERVERNAME.COMPANY.net/AIMWebService/api/Accounts?Safe=SAFE&Object=OBJECTNAME&AppID=APPID, Please verify provided secret expression”,“pipeline”:“1.12.2”,“@timestamp”:“2025-06-18T18:28:08.026Z”,“thread_name”:“pool-6-thread-4”,“atlas-util”:“2.7.1”,“metrics”:“1.10.5”,“region”:“us-east-1”,“AppType”:“CyberArk Central Credential Provider (CCP)”,“Application”:“CyberArk”,“request_id”:“f084a9c9ef484828817c8ec95a84fba0”,“queue”:“stg02-useast1-genworth-sb-cluster-8f0caad380c1”,“SCIM Common”:“8.0 Build 00b1f252d1b-20200225-190809”}

I’m not sure what this means, wouldn’t the pfx file that the prereqs describe, that I’ve added to both the Credential Provider config as well as manually copied to the /home/sailpoint/certificates/ direct on all VAs in cluster be that internal cert?

Can you get the .pem format of the host and root cert and then try the operation again?

Can you also try this command from your VA :
curl protocol://IP/host:port , see what is the error

I extracted the .pem from the .pfx with the following command:

openssl pkcs12 -legacy -in SailPoint_ISC_Dev.pfx -out SailPoint_ISC_Dev.pem -nodes

I provided the pfx password on prompt. This created the .pem file in /home/sailpoint/certificates. The .pem file includes both —BEGIN CERTIFICATE— data as well as —BEGIN PRIVATE KEY— data.

I ran sudo systemctl restart ccg on all 4 VAs. I looked at ccg-start.log and found the section where Importing cert /home/sailpoint/certificates/SailPoint_ISC_Dev.pem happens. I am not seeing any errors here, all INFO lines showing caIssuers value (matches with my company).

curl https://SERVER.COMPANY.net/AIMWebService/ gives me “curl: (60) SSL certificate problem: unable to get local issuer certificate”. If I run with -k I get response with 403 Access Denied.