“encrypted EDM data set” using command “edm-secure-cli.bat create” on Windows client failed

• On Windows client, “edm-secure-cli.bat create”  command failed in command prompt rendering error

“Application failed due to an unknown error. Application is exiting” 

• 
  EDM package logs may show

“I/O error on GET request for https://api.dlp.paloaltonetworks.com/v1/public/edm/supported-configuration": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: “ 

• EDM package may show errors while fetching access_token from “https://auth.apps.paloaltonetworks.com" 

• Enterprise DLP
• A Windows Client running Windows 10 or higher with Java Runtime/JDK installed
• If intermediate NGFW or Prisma Access are in the path, a network configuration to allow traffic

This issue may happen due to one or more following issues: 

• Environment variable may be pointing to wrong Java Runtime folder instead of Java Runtime required for EDM version 4.0 
• Customer infra may have firewalls where required FQDN are not in allow list which prevents SSL communication between Windows client and DLP cloud. An example error (logs on Windows)

 “I/O error on GET request for "https://api.dlp.paloaltonetworks.com/v1/public/edm/supported-configuration": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: “ 

• Additionally, authorization may fail leading not to fetch access_token due to failed SSL communication, incorrect client ID and Secret of a service account

• On Windows: Ensure that the environment variable pointing to the latest Java Runtime version. 
• On Firewalls:  add the following FQDNs in allow list 
  • API Egress: https://auth.apps.paloaltonetworks.com
  • EDM Client Authorization: https://api.dlp.paloaltonetworks.com

This is documented in  https://docs.paloaltonetworks.com/enterprise-dlp/activation-and-onboarding/setup-prerequisites-for-enterprise-dlp#fqdns-for-edm 

• Verify if the Palo Alto Network certs are imported to java keystore on Windows.  
• Ensure the EDM config file has accurate “client ID and Secret”