WSO2 APIM 2.0 Clustering deployment issue when generate access token -

i deployed 2 keymanager nodes, 2 pub-store nodes, 1 gateway manager node , 2 gateway worker nodes in 1 server, , deployed nginx load balance. when try generate application access token, reported below error:

2016-08-29 03:10:59,558 [-] [http-nio-9443-exec-5] error subscription-add:jag org.jaggeryjs.scriptengine.exceptions.scriptexception: error while obtaining application access token application:defaultapplication 2016-08-29 03:29:37,439 [-] [http-nio-9443-exec-45] error amdefaultkeymanagerimpl error while creating tokens - sun.security.validator.validatorexception: pkix path building failed: sun.security.provider.certpath.suncertpathbuilderexception: unable find valid certification path requested target javax.net.ssl.sslhandshakeexception: sun.security.validator.validatorexception: pkix path building failed: sun.security.provider.certpath.suncertpathbuilderexception: unable find valid certification path requested target     @ sun.security.ssl.alerts.getsslexception(alerts.java:192)     @ sun.security.ssl.sslsocketimpl.fatal(sslsocketimpl.java:1949)     @ sun.security.ssl.handshaker.fatalse(handshaker.java:302)     @ sun.security.ssl.handshaker.fatalse(handshaker.java:296)     @ sun.security.ssl.clienthandshaker.servercertificate(clienthandshaker.java:1509)     @ sun.security.ssl.clienthandshaker.processmessage(clienthandshaker.java:216)     @ sun.security.ssl.handshaker.processloop(handshaker.java:979)     @ sun.security.ssl.handshaker.process_record(handshaker.java:914)     @ sun.security.ssl.sslsocketimpl.readrecord(sslsocketimpl.java:1062)     @ sun.security.ssl.sslsocketimpl.performinitialhandshake(sslsocketimpl.java:1375)     @ sun.security.ssl.sslsocketimpl.starthandshake(sslsocketimpl.java:1403)     @ sun.security.ssl.sslsocketimpl.starthandshake(sslsocketimpl.java:1387)     @ org.apache.http.conn.ssl.sslsocketfactory.connectsocket(sslsocketfactory.java:533)     @ org.apache.http.conn.ssl.sslsocketfactory.connectsocket(sslsocketfactory.java:401)     @ org.apache.http.impl.conn.defaultclientconnectionoperator.openconnection(defaultclientconnectionoperator.java:178)     @ org.apache.http.impl.conn.abstractpoolentry.open(abstractpoolentry.java:144)     @ org.apache.http.impl.conn.abstractpooledconnadapter.open(abstractpooledconnadapter.java:131)     @ org.apache.http.impl.client.defaultrequestdirector.tryconnect(defaultrequestdirector.java:610)     @ org.apache.http.impl.client.defaultrequestdirector.execute(defaultrequestdirector.java:445)     @ org.apache.http.impl.client.abstracthttpclient.doexecute(abstracthttpclient.java:863)     @ org.apache.http.impl.client.closeablehttpclient.execute(closeablehttpclient.java:82)     @ org.apache.http.impl.client.closeablehttpclient.execute(closeablehttpclient.java:106)     @ org.apache.http.impl.client.closeablehttpclient.execute(closeablehttpclient.java:57)     @ org.wso2.carbon.apimgt.impl.amdefaultkeymanagerimpl.getnewapplicationaccesstoken(amdefaultkeymanagerimpl.java:360)     @ org.wso2.carbon.apimgt.impl.apiconsumerimpl.renewaccesstoken(apiconsumerimpl.java:867)     @ org.wso2.carbon.apimgt.impl.userawareapiconsumer.renewaccesstoken(userawareapiconsumer.java:36)     @ org.wso2.carbon.apimgt.hostobjects.apistorehostobject.jsfunction_refreshtoken(apistorehostobject.java:4120) ... caused by: sun.security.validator.validatorexception: pkix path building failed: sun.security.provider.certpath.suncertpathbuilderexception: unable find valid certification path requested target     @ sun.security.validator.pkixvalidator.dobuild(pkixvalidator.java:387)     @ sun.security.validator.pkixvalidator.enginevalidate(pkixvalidator.java:292)     @ sun.security.validator.validator.validate(validator.java:260)     @ sun.security.ssl.x509trustmanagerimpl.validate(x509trustmanagerimpl.java:324)     @ sun.security.ssl.x509trustmanagerimpl.checktrusted(x509trustmanagerimpl.java:229)     @ sun.security.ssl.x509trustmanagerimpl.checkservertrusted(x509trustmanagerimpl.java:124)     @ sun.security.ssl.clienthandshaker.servercertificate(clienthandshaker.java:1491)     ... 90 more caused by: sun.security.provider.certpath.suncertpathbuilderexception: unable find valid certification path requested target     @ sun.security.provider.certpath.suncertpathbuilder.build(suncertpathbuilder.java:141)     @ sun.security.provider.certpath.suncertpathbuilder.enginebuild(suncertpathbuilder.java:126)     @ java.security.cert.certpathbuilder.build(certpathbuilder.java:280)     @ sun.security.validator.pkixvalidator.dobuild(pkixvalidator.java:382) 

and in pub-store nodes, used wsclient key validation , used

<authmanager>     <!-- server url of authentication service -->     <serverurl>https://km.devzone.com/services/</serverurl>     <!-- admin username authentication manager. -->     <username>${admin.username}</username>     <!-- admin password authentication manager. -->     <password>${admin.password}</password>     <!-- indicates whether permissions checking of user (on publisher , store) should done        via remote service. check done on local server when false. -->     <checkpermissionsremotely>false</checkpermissionsremotely> </authmanager> 

what's possible config issue?

this happen when don't have keymanger certificate in store trust store. fix this, export public certificate keymanager node's jks file, , import client-truststore.jks of store node.