The "Test Connection" in the Glue Console only verifies network connectivity, not whether the SSL certificate is trusted during job runtime.

The actual job runtime uses a separate JVM where the certificate must be available and trusted. If AWS Glue can’t validate the server certificate chain during the job run, it throws the PKIX path building failed error.

This typically happens when:

The SAP OData SSL certificate is self-signed or issued by a private CA.

The certificate isn’t properly loaded at runtime for the job to trust it.

✅ What You’ve Done (Good Steps):

You're already trying to add the certificate using:

"JdbcEnforceSsl": "true",

"CustomJdbcCert": "s3://{bucket}/cert/{cert}"

✅ That’s correct — this tells AWS Glue to load a custom certificate.

📌 What to Check / Do Next:

1. Certificate Format

Make sure the certificate is in PEM format (.crt or .pem), not DER or PFX.

2. Certificate Path in S3

Ensure the file exists at the correct path and is publicly readable by the Glue job (via IAM role).

Example:

s3://your-bucket-name/cert/sap_server.crt

3. Permissions

The Glue job role must have permission to read the certificate from S3. Add this to the role policy:

{

"Effect": "Allow",

"Action": "s3:GetObject",

"Resource": "arn:aws:s3:::your-bucket-name/cert/*"

}

4. Recheck Key Option Names

Make sure you didn’t misspell any keys like CustomJdbcCert or JdbcEnforceSsl. They are case-sensitive.

5. Glue Version Compatibility

If using Glue 3.0 or earlier, try upgrading to Glue 4.0, which has better support for custom JDBC certificate handling.

6. Restart Job after Changes

After uploading or changing the certificate, restart the job — don’t rely on retries alone.