After you install the Workspace ONE Access connector, the Directory Sync, User Auth, Kerberos Auth, and Virtual App services do not appear on the Connectors page in the Workspace ONE Access console.

Problem

After you install the connector, the enterprise services that you installed are not registered with the Workspace ONE Access service and do not appear on the Connectors page.

The logs display an error similar to the following:

Unable to register EDS 
javax.net.ssl.SSLHandshakeException: Failed to create SSL connection
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Solution

This problem occurs if you are using a self-signed certificate for your on-premises Workspace ONE Access service instance and you did not upload the certificate to the connector truststore while installing the connector. As a result, the connector does not trust the Workspace ONE Access service.

To resolve the issue, import the Workspace ONE Access service certificate to the keystore of each enterprise service that you installed.

  1. Download the Workspace ONE Access service certificate.
  2. If the connector is running in FIPS mode, convert the downloaded certificate to BCFKS format.
  3. On the connector Windows server, navigate to the connector installation directory.

    The installation directory is typically C:\Program Files\Workspace ONE Access.

  4. Run the following command for each enterprise service:

    .\Support\scripts\installRootCa.bat -ca “<Downloaded certificate path>” -trustStore “.\< enterprise service name>\conf\certs\cacerts” -trustStorePwdFile “.\<enterprise service name>\conf\certs\cakeystore.pass”

    Replace <Downloaded certificate path> with the path to the downloaded Workspace ONE Access service certificate. Replace <enterprise service name> with the name of the enterprise service: Directory Sync Service, User Auth Service, Kerberos Auth Service, or Virtual App Service. For example:

    .\Support\scripts\installRootCa.bat -ca “C:\MyCerts\example.crt” -trustStore “.\Directory Sync Service\conf\certs\cacerts” -trustStorePwdFile “.\Directory Sync Service\conf\certs\cakeystore.pass”

  5. Verify that the certificate was added correctly to the keystore by running the following command for each enterprise service:

    keytool -v -list -keystore "<INSTALL_DIR>\<enterprise service name>\conf\certs\cacerts" -storepass:file "<INSTALL_DIR>\<enterprise service name>\conf\certs\cakeystore.pass" > keytool_dump.txt

    For example:

    keytool -v -list -keystore "C:\Program Files\Workspace ONE Access\Directory Sync Service\conf\certs\cacerts" -storepass:file "C:\Program Files\Workspace ONE Access\Directory Sync Service\conf\certs\cakeystore.pass" > keytool_dump.txt

    This command lists all the certificates in the enterprise service's keystore and stores the information in the keytool_dump.txt file.

  6. Restart all the enterprise services.