3685093 - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target from SCC

While adding or refreshing subaccount certificate from SCC, following is perceived from SCC trace (ljs_trace.log / scc_core.trc).

====
20xx-xx-xx xx:xx:xx,xxx +0100#ERROR#com.sap.scc.rt#https-jsse-nio2-8443-exec-9#          #Tunnel account:///<subaccount ID> connect failed
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:377)

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
====

Upon enabling TLS trace from SCC (SCC -> "Log and Trace files" -> "TLS trace"), following additional detail is perceived matching a new attempt of connecting subaccount from SCC.

====
Consuming server Certificate handshake message (
"Certificate": {
  "certificate_request_context": "",
  "certificate_list": [  
  {
    "certificate" : {
      "version"            : "v3",
      "serial number"      : "xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx",
      "signature algorithm": "xxxxxxxxxxxxxxxxx",
      "issuer"             : "CN=<custom customer firewall's own CA>",
      "not before"         : "20xx-xx-xx xx:xx:xx.xxx xxx",
      "not  after"         : "20xx-xx-xx xx:xx:xx.xxx xxx",
      "subject"            : "CN=connectivitytunnel.cf.eu20.hana.ondemand.com, O=xxxxxxx, L=xxxxxxxxxxx, ST=xxxxxxxxxxxxxxx, C=xx",
      "subject public key" : "RSA",
      "extensions"         : [
        {
     ...
    "certificate" : {
      "version"            : "v3",
      "serial number"      : "xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx",
      "signature algorithm": "xxxxxxxxxxxxxxxxx",
      "issuer"             : "CN=<custom customer firewall's own CA>",
      "not before"         : "20xx-xx-xx xx:xx:xx.xxx xxx",
      "not  after"         : "20xx-xx-xx xx:xx:xx.xxx xxx",
      "subject"            : "CN=<custom customer firewall's own CA>",
      "subject public key" : "RSA",
      "extensions"         : [
        {
====

Where it's perceived the ISSUER of the connection is coming as a custom firewall appliance CA, and not the standard CA that BTP engine trusts.

And in below section, it lists all the trusted root CA certificates by SCC.

X509TrustManagerImpl: adding as trusted certificates (
  "certificate": {
    ...
    "issuer": "CN=Certainly Root E1, O=Certainly, C=US"
    "subject": "CN=Certainly Root E1, O=Certainly, C=US"
    ...
  }

• SAP Cloud Connector(SCC);
• SAP Business Technology Platform(BTP).

sap cloud connector, connector, SCC, cloud connector, CC, jvm, digicert, certificate, handshake, TLS, SSL, subaccount, sub-account, tenant, hana.ondemand.com., ondemand.com, certificate, refresh, renew, firewall, router, PKIX, digicert, issuer, SCC, 2.16.0, 2.15.0, 2.15.1, 2.15.2, 2.14.2, 2.14.1. 2.14.0, 2.13.0, 2.12, 2.10, sub-account, subaccount, cloud foundry, Neo, BTP, connection, SSL Engine, SSLEngine, WebUI, Web UI, Issuer, Subject DN, firewall, router, certificate, sign, signed, signing, TLS, TLS-termination, TLS termination, SSL, inspection, DigiCert Global, root CA, CA, hana.ondemand.com, ondemand.com, Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, handshake_failure, handshake failure, handshake  , KBA , BC-MID-SCC , SAP Cloud Connector On-Demand/On-Premise Connectivity , BC-CP-CON , Cloud to On-premise Connectivity service , Problem