I don't know about DataFlow (what is that? but I digress). But for AMQ (remote brokers, really that is all I run) and sometimes other JVM based apps, when using in a couple of situations, one may need to disable some SSL hostname verification checks.
I've seen SSL/PKIX errors from JVM apps in a couple caes -- using an intercepting https-proxy and sometimes using TLS to a VIP in front of AMQ brokers (i.e. one ip that is routed to a real active downstream AMQ instance) In the case of AMQ, adding verifyHostName=false to client connection strings can help. Something like this: failover:(ssl://broker-a:61617,ssl://queuebroker-b)?nested.verifyHostName=false Other times, when I see JVM errors like PKIX (no valid cert path) since I have the CERT for the intercepting proxy, I just import into my JVM cacerts keyring, via keytool. NOTE: AMQ clients to my AMQ failover URLs usually get a specific SSL hostname error check (that escapes me at the moment), in my case, as those connections don't typically run thru the SSL proxy (different networks, and such). The PKIX/cert-paths come up routinely in other cases. HTH On Tue, Jan 20, 2026 at 7:29 PM Zack Culberson <[email protected]> wrote: > Hi all, > > Has anyone connected to ActiveMq from Dataflow ? We currently are facing > some issues related to certificates. When it tries to connect to our > brokers through ssl we get PKIX path building failed. > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target. Currently in Dataflow I have > a JVMInitializer that will download our truststore.jks file that has the > root and server cert for our broker and store it into the /tmp folder on > the worker. I then use the ActiveMQSslConnectionFactory and set the > truststore location and password within those apis. But it still fails with > the above error. I have added debugging to insure the jks file is > downloaded which it is is there other things I could try or need to do ? > > Thank you, > Zack >
