Troubleshooting security certificate issues
Refer to the following topics to troubleshoot problems that might occur when creating, and importing signed certificates.
Infrastructure Management server fails to authenticate users after applying signed certificates.
Probable cause: This error may occur, if the Remedy Single Sign-On Server certificate is not imported into the Presentation Server truststore, and if the Presentation Server certificate is not imported into the Infrastructure Management server truststore.
Resolution: As a workaround, perform the following steps:
- Log on to the host computer where the Presentation Server is installed.
- Navigate to the <TrueSight Presentation Server Installation Directory>\truesightpserver\modules\jre\lib\security directory location.
Run the following command to import the Remedy Single Sign-On Server certificate into the Presentation Server truststore.
keytool -printcert -sslserver rssoserver.bmc.com:8048 -rfc | keytool -importcert -keystore cacerts -storepass changeit -noprompt -alias rsso_server
Note
rssoserver.bmc.com: Host name of the computer where the Remedy Single Sign-On server is installed.
8048: Remedy Single Sign-On Server port number.
Run the following command to confirm that Remedy Single Sign-On Server certificate has been imported into the Presentation Server.
keytool -list -keystore cacerts | grep rsso_server
Note
changeit is the default password for the cacerts truststore.
- Log on to the host computer where the TrueSight Infrastructure Management is installed.
- Navigate to the <Infrastructure Management Server Installation Directory>\pw\pronto\conf directory location.
Run the following command to import the TrueSight Presentation Server certificate into the Infrastructure Management server truststore.
keytool -printcert -sslserver tspsserver.bmc.com:8043 -rfc | keytool -importcert -keystore pnserver.ks -storepass get2net -noprompt -alias truesightserver
Run the following command to confirm that TrueSight Presentation Server certificate has been imported into the Infrastructure Management server.
keytool -list -keystore pnserver.ks | grep truesightserver
Note
get2net
is the default password for the pnserver.ks keystore.- Restart the TrueSight Presentation Server.
Restart the TrueSight Infrastructure Management.
For more information, see the following:
- Implementing private certificates in the Remedy Single Sign-On Server.
- Applying Remedy Single Sign-On Server private certificate to the TrueSight Presentation Server.
- Implementing private certificates in the TrueSight Presentation Server.
- Applying TrueSight Presentation Server certificate to the TrueSight Infrastructure Management.
Httpd process is not starting after applying signed certificates to enable Infrastructure Management server browser communication.
After you apply security certificates to secure Infrastructure Management server browser communication, the httpd process fails to start, and Infrastructure Management server fails to display the login screen.
Probable cause: The Infrastructure Management server key and the certificate details might be incorrect in the httpd-conf.conf file.
Resolution: As a workaround, perform the following steps:
- Log on to the host computer where the Infrastructure Management server is installed.
- Using a text editor, open the httpd-ssl.conf file located in the <Infrastructure Management server Installation directory>\pw\apache\conf\extra directory location.
Comment out the instances of the code lines having the SSLCertificateFile and SSLCertificateKeyFile details as shown in the following example code block:
#SSLCertificateFile "C:\Program Files\BMC Software\TrueSight\pw\apache\conf\my-server.cert"
#SSLCertificateKeyFile "C:\Program Files\BMC Software\TrueSight\pw\apache\conf\my-server.key"
Insert the code lines with new certificate and key file details as shown in the following example code block:
SSLCertificateFile "C:\Program Files\BMC Software\TrueSight\pw\apache\conf\tsim.cer"
SSLCertificateKeyFile "C:\Program Files\BMC Software\TrueSight\pw\apache\conf\tsimSrv.key"
Save and close the httpd-ssl.conf file.
Restart the Infrastructure Management server.
For more information, see Implementing private certificates in the TrueSight Infrastructure Management.
TrueSight Presentation Server fails to display the login screen after the Remedy Single Sign-On server certificate is imported
After you import the Remedy Single Sign-On Server certificate into the Presentation Server truststore, the Presentation Server fails to display the login screen.
Probable cause: The Remedy Single Sign-On Server name details are updated incorrectly in the Presentation Server's configuration files.
Resolution: As a workaround, perform the following steps:
- Navigate to the <TrueSight Presentation Server Installation Directory>\logs directory and using a text editor open the Truesight.log file.
- Ensure that the Remedy Single Sign-On Server host computer details are correct.
- Navigate to the <TrueSight Presentation Server Installation Directory>\logs directory and using a text editor open the Session.output.log file.
- Ensure that the Remedy Single Sign-On Server host computer details are correct.
- Restart the Presentation Server.
TrueSight Presentation Server fails to display the login screen
The Presentation Server fails to display the login screen and displays the following error message:
An error occurred. Please contact your administrator or retry later.
Probable cause: The Remedy Single Sign-On server certificate expiry is one of the probable reasons for this error.
Resolution: As a workaround, do the following:
- Log in to the host computer where the Presentation Server is installed.
Follow one of the methods to import the Remedy Single Sign-On server certificate into the Presentation Server's truststore (cacerts):
TrueSight Presentation Server may display errors after creating and importing security certificates
After you have created signed certificate and imported it into the Presentation Server keystore, the Presentation Server may display one of the following error messages while launching the login screen:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
ERROR Unable to load library esscfgJNI80 no esscfgJNI80 in java.library.path
ERROR Unable to load library bpwJNI80 no bpwJNI80 in java.library.path
Probable cause: The private key (.p12 file) is not present in the loginvault.ks keystore.
Resolution: As a workaround, perform the following steps:
- Navigate to the <TrueSight Presentation Server Installation Directory>\truesightpserver\conf\secure directory and locate loginvault.ks file.
- Take a backup of loginvault.ks file.
Run the following command to import the private key into the loginvault.ks keystore file.
keytool -v -importkeystore -srckeystore tsps.p12 -srcstoretype PKCS12 -destkeystore loginvault.ks -deststoretype JK
Note
tsps.p12 is the name of the private key. To know how to create a private key for the Presentation Server, see Implementing private certificates in the TrueSight Presentation Server.
Run the following to ensure that the private key is imported into the loginvault.ks file.
keytool -list -keystore loginvault.ks
Restart the Presentation Server.
Components display Java error PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException while trying to establish communication
When a client component is trying to connect to a server component, the following Java error might be displayed:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Probable cause: The error signifies that the client component doesn't have the public certificate for the server that it is trying to connect to. For example, in the context of Presentation Server to Remedy Single Sing-On Server communication, the Presentation Server is operating as a client and the Remedy Single Sing-On server is operating as a Server. In this scenario, if you get the Java error, it means that the Remedy Single Sing-On Server certificate is not found in the Presentation Server truststore.
Resolution: As a workaround, perform the following steps:
Before establishing the communication between a client and a server, ensure that you create a signed certificate for the server and import this certificate to the client's truststore. For example, while establishing the communication between Remedy Single Sign-On Server and Presentation Server, ensure that you create a signed certificate for the Remedy Single Sing-On server and import it into the Presentation Server truststore.
Missing configuration file error
If you are using OpenSSL utility to create and import signed certificates, there may be a missing openssl.conf file error as shown in the following example:
can't open config file: c:/openssl-win64/ssl/openssl.conf
Probable cause:
The openssl.cnf configuration file is not present in the required directory location.
Resolution: As a workaround, perform the following:
Copy the openssl.conf file to the directory location indicated by the error. For example if the error is: can't open config file: c:/openssl-win64/ssl/openssl.conf
, then copy the openssl.conf file to the c:/openssl-win64/ssl directory.
TrueSight Presentation Server displays certificate expiry error in the TrueSight log file
Presentation Server may log an error in the TrueSight log file indicating that the certificate is expired.
Probable cause: This may occur if you have created signed certificates for the Presentation Server but have not imported them into the cacerts truststore file.
Resolution: As a workaround, perform the following:
Navigate to the directory where the cacerts keystore is located.
Windows operating system: <TrueSight Presentation Server Installation Directory>\truesightpserver\modules\jre\lib\security
Linux:<TrueSight Presentation Server Installation Directory>/truesightpserver/modules/jre/lib/security
Copy cacerts keystore file and rename it as cacerts-update.
List all the keys in the cacerts-update by running the following command:
keytool -list -keystore cacerts-update -storepass changeit
Note
changeit
is the default password for the cacerts-update keystore.Delete the existing certificate aliases if any from the cacerts-update truststore file by running the following command:
keytool -delete -alias root -keystore cacerts-update -storepass changeit
keytool -delete -alias intermediateCA -keystore cacerts-update -storepass changeit
keytool -delete -alias truesightserver -keystore cacerts-update -storepass changeit
Copy the signed certificates such as RootCA.cer, intermediateCA.cer, and truesightPS.cer to the current directory, and import these certificates into the cacerts-updade keystore by running the following command:
keytool -importcert -trustcacerts -alias root -keystore cacerts-update -storepass changeit -file RootCA.cer
You are prompted with the Trust this certificate question, type Yes
keytool -importcert -trustcacerts -alias intermediateCA -keystore cacerts-update -storepass changeit -file intermediateCA.cer
You are prompted with the Trust this certificate question, type Yes
keytool -importcert -alias truesightserver -keystore cacerts-update -storepass changeit -file truesightPS.cer
- Rename the cacerts file as cacerts.orig.
- Copy cacerts-update keystore file and rename it as cacerts.
Restart the Presentation Server.
IT Data Analytics server fails display the login screen after upgrading
When you upgrade IT Data Analytics to the current version, the server fails to display the login screen.
Probable cause: The custom certificate in the bmcitda.jks keystore is deleted as the bmcitda.jks keystore is overwritten by the default keystore that is bundled with the upgrade installer.
Workaround:
- Take a backup of the bmcitda.jks keystore before upgrading:
- (Microsoft windows) <IT Data Analytics installation directory>\tomcat\conf\bmcitda.jks
- (Linux) <IT Data Analytics installation directory>/tomcat/conf/bmcitda.jks
- Restore the keystore after upgrading to the current version.
- Restart the IT Data Analytics server.
The TrueSight console fails to cross-launch to TrueSight Infrastructure Management
The Presentation Server may display the following error, when you try to cross-launch from the TrueSight console to TrueSight Infrastructure Management:
Initialization of connection is in progress, or the connectivity was lost between the Infrastructure Management Server and the Presentation Server. If you have configured a secure communication between the Presentation Server and the Infrastructure Management Server, ensure that the Presentation Server certificate is imported into the Infrastructure Management Server.
Probable cause: The Presentation Server may not have a valid TrueSight Infrastructure Management certificate.
Workaround:
- Run the
tssh certificate verify TSIM
command to verify that the Infrastructure Management Server certificate is valid. For details, see Creating and importing certificates in TrueSight Presentation Server. - If the Infrastructure Management Server certificate is expired, run the
tssh certificate import TSIM
command to import a valid certificate from the Infrastructure Management Server into the Presentation Server. For details, see Creating and importing certificates in TrueSight Presentation Server. - Restart the Presentation Server.
The certifying authority (CA) rejected the certificate signing request (CSR) for Remedy Single Sign-On server due to missing email details
Probable cause: The CSR created for Remedy Single Sign-On server did not contain the email details.
Resolution: As a workaround, perform the following steps:
Create the CSR again with the email details as shown in the following code block and submit the CSR to CA for signing:
#Syntax
keytool -v -certreq -alias <alias name> -keystore <keystore name> -storepass <keystore password> -storetype JKS -dname "CN=<SSO_Server.FQDN>,OU=<Organizational Unit name>,O=<Organization Name>,L=<City>,ST=<State>,C=<2LetterCountryCode>,EMAILADDRESS=<email id>" -ext "san=dns:<RSSO_Server.FQDN>" -file <CSR file name>
#Example
keytool -v -certreq -alias rssoserver -keystore loginvault-update.ks -storepass changeit -storetype JKS -dname "CN=RSSOHost.bmc.com,OU=Customer Engineering,O=BMC Software Inc,L=Houston,ST=Texas,C=US,EMAILADDRESS=your.name@bmc.com" -ext "san=dns:RSSOHost.bmc.com" -file RSSO.csr
For details, see Implementing private certificates in the Remedy Single Sign-On Server.
Where to go from here
To check other troubleshooting information, see Troubleshooting.
For more information about creating and importing signed certificates Implementing private certificates in TrueSight Operations Management.
Comments
Log in or register to comment.