Troubleshooting security certificate issues

Refer to the following topics to troubleshoot problems that might occur when creating, and importing signed certificates.

Infrastructure Management server fails to authenticate users after applying signed certificates.

Probable cause: This error may occur, if the Remedy Single Sign-On Server certificate is not imported into the Presentation Server truststore, and if the Presentation Server certificate is not imported into the Infrastructure Management server truststore.

Resolution: As a workaround, perform the following steps:

1. Log on to the host computer where the Presentation Server is installed.
2. Navigate to the <TrueSight Presentation Server Installation Directory>\truesightpserver\modules\jre\lib\security directory location.

3. Run the following command to import the Remedy Single Sign-On Server certificate into the Presentation Server truststore. 

   keytool -printcert -sslserver rssoserver.bmc.com:8048 -rfc | keytool -importcert -keystore cacerts -storepass changeit -noprompt -alias rsso_server

   Note

   rssoserver.bmc.com: Host name of the computer where the Remedy Single Sign-On server is installed.

   8048: Remedy Single Sign-On Server port number.

4. Run the following command to confirm that Remedy Single Sign-On Server certificate has been imported into the Presentation Server. 

   keytool -list -keystore cacerts | grep rsso_server

   Note

   changeit is the default password for the cacerts truststore. 

5. Log on to the host computer where the TrueSight Infrastructure Management is installed.
6. Navigate to the <Infrastructure Management Server Installation Directory>\pw\pronto\conf directory location.

7. Run the following command to import the TrueSight Presentation Server certificate into the Infrastructure Management server truststore. 

   keytool -printcert -sslserver tspsserver.bmc.com:8043 -rfc | keytool -importcert -keystore pnserver.ks -storepass get2net -noprompt -alias truesightserver

8. Run the following command to confirm that TrueSight Presentation Server certificate has been imported into the Infrastructure Management server. 

   keytool -list -keystore pnserver.ks | grep truesightserver

   Note

   get2net is the default password for the pnserver.ks keystore. 

9. Restart the TrueSight Presentation Server.

10. Restart the TrueSight Infrastructure Management.

For more information, see the following:

• Implementing private certificates in the Remedy Single Sign-On Server.
• Applying Remedy Single Sign-On Server private certificate to the TrueSight Presentation Server.
• Implementing private certificates in the TrueSight Presentation Server.
• Applying TrueSight Presentation Server certificate to the TrueSight Infrastructure Management.

Httpd process is not starting after applying signed certificates to enable Infrastructure Management server browser communication.

After you apply security certificates to secure Infrastructure Management server browser communication, the httpd process fails to start, and Infrastructure Management server fails to display the login screen.

Probable cause: The Infrastructure Management server key and the certificate details might be incorrect in the httpd-conf.conf file.

Resolution: As a workaround, perform the following steps:

1. Log on to the host computer where the Infrastructure Management server is installed.
2. Using a text editor, open the httpd-ssl.conf file located in the <Infrastructure Management server Installation directory>\pw\apache\conf\extra directory location.

3. Comment out the instances of the code lines having the SSLCertificateFile and SSLCertificateKeyFile details as shown in the following example code block: 

   #SSLCertificateFile "C:\Program Files\BMC Software\TrueSight\pw\apache\conf\my-server.cert"

   #SSLCertificateKeyFile "C:\Program Files\BMC Software\TrueSight\pw\apache\conf\my-server.key"

4. Insert the code lines with new certificate and key file details as shown in the following example code block:  

   SSLCertificateFile "C:\Program Files\BMC Software\TrueSight\pw\apache\conf\tsim.cer"

   SSLCertificateKeyFile "C:\Program Files\BMC Software\TrueSight\pw\apache\conf\tsimSrv.key"

5. Save and close the httpd-ssl.conf file.

6. Restart the Infrastructure Management server.

For more information, see Implementing private certificates in the TrueSight Infrastructure Management.

TrueSight Presentation Server fails to display the login screen after the Remedy Single Sign-On server certificate is imported

After you import the Remedy Single Sign-On Server certificate into the Presentation Server truststore, the Presentation Server fails to display the login screen.

Probable cause: The Remedy Single Sign-On Server name details are updated incorrectly in the Presentation Server's configuration files.

Resolution: As a workaround, perform the following steps:

1. Navigate to the <TrueSight Presentation Server Installation Directory>\logs directory and using a text editor open the Truesight.log file.
2. Ensure that the Remedy Single Sign-On Server host computer details are correct.
3. Navigate to the <TrueSight Presentation Server Installation Directory>\logs directory and using a text editor open the Session.output.log file.
4. Ensure that the Remedy Single Sign-On Server host computer details are correct.
5. Restart the Presentation Server.

TrueSight Presentation Server fails to display the login screen

The Presentation Server fails to display the login screen and displays the following error message:

An error occurred. Please contact your administrator or retry later.

Probable cause: The Remedy Single Sign-On server certificate expiry is one of the probable reasons for this error.

Resolution: As a workaround, do the following:

1. Log in to the host computer where the Presentation Server is installed.

2. Follow one of the methods to import the Remedy Single Sign-On server certificate into the Presentation Server's truststore (cacerts):

   1.  (Applicable only to version 11.3.02 and later) Use the tssh certificate import RSSO command

      1. Run the tssh certificate import RSSO command.
      2. The command prompts you to type the name and path of the backup directory where you want to extract the certificates. For example, C:\Cert_backup.
         Takes a backup of the respective truststore file. For example, Remedy Single Sign-On certificate is imported into cacerts truststore file. Therefore, cacerts is backed up and saved as cacerts-update_<timestamp>.ts and saves it in the specified backup directory (C:\Cert_backup).

      3. Prompts you to enter the component details in the <hostname:port> format. Enter the FQDN of the component for the hostname, and 448 as the port number. If you do not specify a port number, the command will use the default port number 443. 

      4. Prompts you to enter an alias name for the Remedy Single Sign-On server certificate that needs to be imported into the Presentation Server truststore. For example, rssoserver.
      5. Checks if there is any existing certificate with the same alias name, if yes, the commands prompts you to confirm if the existing certificate alias can be deleted. If you choose to delete the existing certificate alias, new Remedy Single Sign-On certificate with the alias name that you entered (rssoserver) is imported into the cacerts-update_<timestamp>.ts truststore file. If you choose not to delete the existing certificate alias, the command exits displaying an error message indicating unsuccessful certificate import. The command performs the following actions without any user intervention:
         1. Takes a backup of the original truststore file. For example, the cacerts file is saved as cacerts-origin_<timestamp> in the backup directory (C:\Cert_backup) . In case of any issues, if you want to restore the original truststore file, you can use the cacerts-origin_<timestamp> file.
         2. Replaces the production environment truststore file with the truststore file having the latest signed certificates. For example, the cacerts file is replaced with the cacerts-update_<timestamp> file. This ensures that the production environment truststore file has the latest CA-signed certificates imported into it.
      6. Prompts you to confirm if you want to restart the Presentation Server.
         Note: The certificate import changes will be reflected once you restart the Presentation Server.
      7. Prompts you confirm if you want to restart the Presentation Server. If you choose not to restart the Presentation Server, ensure that you restart the Presentation Server manually so that the certificate changes are reflected.
   2.  Manually import the Remedy Single Sign-On server certificate

      1. The keytool utility that is used to import certificates is present in the <Presentation Server Installation Directory>\truesightpserver\modules\jre\bin directory. Add this directory path to the PATH environment variable by running the following command: 

         #Microsoft Windows
         set PATH=<Presentation Server Installation Directory>\truesightpserver\modules\jre\bin;%PATH%
         #Unix
         export PATH=<Presentation Server Installation Directory>/truesightpserver/modules/jre/bin:$PATH

      2. Navigate to the <TrueSight Presentation Server Installation Directory>\truesightpserver\modules\jre\lib\security directory and locate the cacerts truststore file.

      3. Take a backup of the cacerts file and name it as cacerts-update.

      4. Copy the Remedy Single Sign-On server certificate to this directory.

      5. List all the keys in the cacerts-update keystore by running the following command: 

         keytool -list -keystore cacerts-update -storetype JKS -storepass changeit

      6. Delete the existing Remedy Single Sign-On server certificate alias from the cacerts-update as shown in the following example: 

         #Syntax
         keytool.exe -delete -alias <alias name> -keystore <keystore name> -storepass <keystore password>
         #Example
         keytool.exe -delete -alias remedysso -keystore cacerts-update -storepass changeit

         Note: remedysso is the Remedy Single Sign-On server certificate alias name. If the Remedy Single Sign-On server certificate alias has a different name, then use the relevant alias name in the preceding command.

      7. Import the Remedy Single Sign-On server certificate into the cacerts-update truststore by running the following command: 

         keytool -import -alias remedysso -file "<TrueSight Presentation Server Installation Directory>\temp\certificates\RemedySSO.cer" -keystore cacerts-update -storepass changeit

         Parameter description

         • RemedySSO.cer: Name and path of the CA-signed certificate obtained from the Remedy Single Sign-On Server. If this name is different, use the relevant file name and path in the preceding command.

         • changeit: Default password for the cacerts-update truststore. 

      8. You are prompted with the following message, type Yes:
         
         Trust this certificate [no]:

      9. Rename cacerts to cacerts.orig

      10. Copy cacerts-update to cacerts.

      11. Restart the Presentation Server.

TrueSight Presentation Server may display errors after creating and importing security certificates

After you have created signed certificate and imported it into the Presentation Server keystore, the Presentation Server may display one of the following error messages while launching the login screen: 

• ERR_SSL_VERSION_OR_CIPHER_MISMATCH
• ERROR Unable to load library esscfgJNI80 no esscfgJNI80 in java.library.path

• ERROR Unable to load library bpwJNI80 no bpwJNI80 in java.library.path


Probable cause: The private key (.p12 file) is not present in the loginvault.ks keystore.

Resolution: As a workaround, perform the following steps:

1. Navigate to the <TrueSight Presentation Server Installation Directory>\truesightpserver\conf\secure directory and locate loginvault.ks file.
2. Take a backup of  loginvault.ks file.

3. Run the following command to import the private key into the loginvault.ks keystore file. 

   keytool -v -importkeystore -srckeystore tsps.p12 -srcstoretype PKCS12 -destkeystore loginvault.ks -deststoretype JK

   Note

   tsps.p12 is the name of the private key. To know how to create a private key for the Presentation Server, see Implementing private certificates in the TrueSight Presentation Server.

4. Run the following to ensure that the private key is imported into the loginvault.ks file. 

   keytool -list -keystore loginvault.ks

5. Restart the Presentation Server.

Components display Java error PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException while trying to establish communication

When a client component is trying to connect to a server component, the following Java error might be displayed:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Probable cause: The error signifies that the client component doesn't have the public certificate for the server that it is trying to connect to. For example, in the context of Presentation Server to Remedy Single Sing-On Server communication, the Presentation Server is operating as a client and the Remedy Single Sing-On server is operating as a Server. In this scenario, if you get the Java error, it means that the Remedy Single Sing-On Server certificate is not found in the Presentation Server truststore.

Resolution: As a workaround, perform the following steps:

Before establishing the communication between a client and a server, ensure that you create a signed certificate for the server and import this certificate to the client's truststore. For example, while establishing the communication between Remedy Single Sign-On Server and Presentation Server, ensure that you create a signed certificate for the Remedy Single Sing-On server and import it into the Presentation Server truststore.

Missing configuration file error

If you are using OpenSSL utility to create and import signed certificates, there may be a missing openssl.conf file error as shown in the following example:

can't open config file: c:/openssl-win64/ssl/openssl.conf

Probable cause: 

The openssl.cnf configuration file is not present in the required directory location.

Resolution: As a workaround, perform the following:

Copy the openssl.conf file to the directory location indicated by the error. For example if the error is: can't open config file: c:/openssl-win64/ssl/openssl.conf, then copy the openssl.conf file to the c:/openssl-win64/ssl directory. 

TrueSight Presentation Server displays certificate expiry error in the TrueSight log file

Presentation Server may log an error in the TrueSight log file indicating that the certificate is expired. 

Probable cause: This may occur if you have created signed certificates for the Presentation Server but have not imported them into the cacerts truststore file.

Resolution: As a workaround, perform the following:

1. Navigate to the directory where the cacerts keystore is located.

   Windows operating system: <TrueSight Presentation Server Installation Directory>\truesightpserver\modules\jre\lib\security 

   Linux:<TrueSight Presentation Server Installation Directory>/truesightpserver/modules/jre/lib/security

2. Copy cacerts keystore file and rename it as cacerts-update.
   

3. List all the keys in the cacerts-update by running the following command: 

   keytool -list -keystore cacerts-update -storepass changeit

   
   

   Note

   changeit is the default password for the cacerts-update keystore. 

4. Delete the existing certificate aliases if any from the cacerts-update truststore file by running the following command: 

   keytool -delete -alias root -keystore cacerts-update -storepass changeit

   keytool -delete -alias intermediateCA -keystore cacerts-update -storepass changeit

   keytool -delete -alias truesightserver -keystore cacerts-update -storepass changeit

   
   

5. Copy the signed certificates such as RootCA.cer, intermediateCA.cer, and truesightPS.cer to the current directory, and import these certificates into the cacerts-updade keystore by running the following command: 

   keytool -importcert -trustcacerts -alias root -keystore cacerts-update -storepass changeit -file RootCA.cer

   You are prompted with the Trust this certificate question, type Yes

   keytool -importcert -trustcacerts -alias intermediateCA -keystore cacerts-update -storepass changeit -file intermediateCA.cer

   You are prompted with the Trust this certificate question, type Yes

   keytool -importcert -alias truesightserver -keystore cacerts-update -storepass changeit -file truesightPS.cer

   
   

6. Rename the cacerts file as cacerts.orig.
7. Copy cacerts-update keystore file and rename it as cacerts.

8. Restart the Presentation Server.

IT Data Analytics server fails display the login screen after upgrading

When you upgrade IT Data Analytics to the current version, the server fails to display the login screen.

Probable cause: The custom certificate in the bmcitda.jks keystore is deleted as the bmcitda.jks keystore is overwritten by the default keystore that is bundled with the upgrade installer.

Workaround:

1. Take a backup of the bmcitda.jks keystore before upgrading:
   • (Microsoft windows) <IT Data Analytics installation directory>\tomcat\conf\bmcitda.jks
   • (Linux) <IT Data Analytics installation directory>/tomcat/conf/bmcitda.jks
2. Restore the keystore after upgrading to the current version.
3. Restart the IT Data Analytics server.

The TrueSight console fails to cross-launch to TrueSight Infrastructure Management

The Presentation Server may display the following error, when you try to cross-launch from the TrueSight console to TrueSight Infrastructure Management:

Initialization of connection is in progress, or the connectivity was lost between the Infrastructure Management Server and the Presentation Server. If you have configured a secure communication between the Presentation Server and the Infrastructure Management Server, ensure that the Presentation Server certificate is imported into the Infrastructure Management Server.

Probable cause: The Presentation Server may not have a valid TrueSight Infrastructure Management certificate.

Workaround:

1. Run the tssh certificate verify TSIM command to verify that the Infrastructure Management Server certificate is valid. For details, see Creating and importing certificates in TrueSight Presentation Server.
2. If the Infrastructure Management Server certificate is expired, run the tssh certificate import TSIM command to import a valid certificate from the Infrastructure Management Server into the Presentation Server. For details, see Creating and importing certificates in TrueSight Presentation Server.
3. Restart the Presentation Server.

The certifying authority (CA) rejected the certificate signing request (CSR) for Remedy Single Sign-On server due to missing email details

Probable cause: The CSR created for Remedy Single Sign-On server did not contain the email details.

Resolution: As a workaround, perform the following steps:

Create the CSR again with the email details as shown in the following code block and submit the CSR to CA for signing: 

#Syntax
keytool -v -certreq -alias <alias name> -keystore <keystore name> -storepass <keystore password> -storetype JKS -dname "CN=<SSO_Server.FQDN>,OU=<Organizational Unit name>,O=<Organization Name>,L=<City>,ST=<State>,C=<2LetterCountryCode>,EMAILADDRESS=<email id>" -ext "san=dns:<RSSO_Server.FQDN>" -file <CSR file name>
#Example
keytool -v -certreq -alias rssoserver -keystore loginvault-update.ks -storepass changeit -storetype JKS -dname "CN=RSSOHost.bmc.com,OU=Customer Engineering,O=BMC Software Inc,L=Houston,ST=Texas,C=US,EMAILADDRESS=your.name@bmc.com" -ext "san=dns:RSSOHost.bmc.com" -file RSSO.csr

For details, see Implementing private certificates in the Remedy Single Sign-On Server.

Where to go from here

To check other troubleshooting information, see Troubleshooting.

For more information about creating and importing signed certificates Implementing private certificates in TrueSight Operations Management.