Skip to main content

Fix Installation Issue: "PKIX path ..." Error

This technical note will help you resolve an error that some users have encountered when installing Copilot4Eclipse from the Eclipse Marketplace. The problem occurs during the installation process when a user is presented an error dialog similar to the one shown below:

This error occurs when:

  1. You are operating behind a network proxy that implements SSL Inspection.
  2. The network proxy is configured with a certificate issued by your organizations's private certificate authority.
  3. When the Java runtime hosting Eclipse attempts to create a secure connection to genuitec.com through the proxy it is unable to trace the proxy's certificate to a trusted certificate authority. As a result an exception is thrown.

This technical note presents 2 solutions for resolving this issue.

Solution-1: Define genuitec.com as a trusted site

The simplest solution is to trust the *.genuitec.com domains and omit them from the network proxy's SSL inspection. This usually involves requesting your network support team add the *.genuitec.com domains to the network proxy's list of trusted sites. Update the proxy configuration is typically a quick low complexity task.

Solution-2: Provide Java access to your organization's root certificate

In this section we show you how to configure your Eclipse Java runtime to access your organization's root certifcate from a local OS truststore during the SSL Inspection setup process. Try this solution only if you or your organization manages organizational certificates on your machine in an OS truststore such as Windows Certificate Manager or macOS Keychain.

macOS and Windows provide security and truststore services for storing and accessing certificates. Organizations frequently use these services for creating and hosting their own organization certificate chains. By design the Java runtime does not access OS truststore services by default when verifying certificates provided by a server such as an internal network proxy implementing SSL Inspection.

We can enable Java to access your OS truststore by setting the javax.net.ssl.trustStoreType system property to the truststore on our local machine. Following are truststores that Java supports:

OSTruststoreDescription
macOSKeystoreThe Apple keychain for certificates and passworeds
WindowsWINDOWS-ROOTThe keystore type that identifies the native Microsoft Windows ROOT keystore. It contains the certificates of Root certificate authorities and other self-signed trusted certificates that are only accessible to the current user account.
WindowsWINDOWS-MYThe keystore type that identifies the native Microsoft Windows MY keystore. It contains the user's personal certificates and associated private keys that are only accessible to the current user account.

Set the system property javax.net.ssl.trustStoreType in either the Eclipse eclipse.ini config file or using the JAVA_TOOLS_OPTIONS environment variable.

Example eclipse.ini configuration on Windows:

...
-vmargs
-Djavax.net.ssl.trustStoreType=Windows-ROOT
...

Example using JAVA_TOOLS_OPTIONS environment variable:

  1. On macOS, depending upon which shell envrionment you are using add the following line to the end of either your ~/.zprofile or ~/.bash-profile file.
export JAVA_TOOLS_OPTIONS="-Djavax.net.ssl.trustStoreType=Keystore"
  1. Start/restart Eclipse in a new shell environment that includes the JAVA_TOOLS_OPTIONS envar.

Getting Help

We recognize the suggested solutions may not work for every environment. If you are still unable to install Copilot4Eclipse after working through both solutions please see our Help resources for how to connect with our tech support team.

Resources

  1. Stackoverflow Windows discussion
  2. The SunMSCAPI provider enables applications to use the standard JCA/JCE APIs to access the native cryptographic libraries, certificates stores and key containers on Windows.
  3. How to set up Java VM to use the root certificates (truststore) handled by Mac OS X
  4. Java Security Providers - Apple Provider