This documentation supports the 21.05 version of Action Request System.
To view an earlier version, select the version from the Product version menu.

Troubleshooting Secured Socket Layer related issues for AR System Server and Mid Tier

On the AR System Server and Mid Tier, configure a Secured Socket Layer (SSL) for the following scenarios:

  • Apache Tomcat publishing webservices over https
  • Developer Studio loading a WSDL over https
  • Mid Tier making https calls to Smart Reporting

If an issue occurs when you enable an SSL or when you are working with the SSL, see the following symptoms.

Related topic

Symptoms

    • A Jetty service or Apache Tomcat service does not start when you enable the SSL.
    • A Jetty service or Apache Tomcat service starts, however, the port does not respond.
    • Unable to establish connection between SSL and Remedy. 
      • Connection from a browser to Apache Tomcat (Mid Tier)
      • Connection from the REST client to Jetty server
      • Connection from the Developer Studio to Mid Tier while retrieving WSDL from the Mid Tier
      • When a workflows calls the third-party REST API
      • When a workflow calls the third-party SOAP Web service
      • When loading a third-party WSDL to Developer Studio 
      • When a Java application, such as Developer Studio tries to establish a connection with an SSL endpoint.
      • When a Java application, such as Developer Studio tries to establish a connection with an SSL endpoint that requires a client certificate.

Scope

All applications and clients where the SSL is enabled.

Resolution

Perform the following steps to make sure that an SSL connection is established between the AR System Server/Mid Tier and client:

Step

Task

Description

1

Install SSL certificates on the AR System Server to enable the SSL service

The procedure to install SSL certificates depends on the component that provides a service protected by SSL.

  • For Mid Tier and other Apache Tomcat based applications, see the knowledge article Remedy AR System Mid Tier - Enable SSL/HTTPS on Tomcat servers - INCLUDES VIDEO .
  • For AR System Server and AR System REST API, see the knowledge article How to Enable SSL on Jetty - Remedy AR System Server - INCLUDES VIDEO .
2

Make sure that the service responds to the SSL port

After you enable the SSL, make sure that the service responds to the SSL port. For more information, see the knowledge article How to test if a webserver is responding to requests - AR System Server .

3

(Optional) Verify causes when the service does not respond

  • If the service does not respond after enabling the SSL, verify the following causes:
    • Keystore is not found
    • Keystore password is incorrect
    • Server alias on keystore is not found
  • To resolve the issues due to the missing private key after you import Certificate Signing Request (CSR) response to the keystore, see the knowledge article Certificate doesn't work after importing the CSR response - Mid-Tier
  • To validate the certificates without stopping the AR System Server, see the knowledge article How to test an SSL certificate without bringing down a service .
4

Identify the validity of server certificates


A certificate is considered as valid if it is trusted by the client. The client gets a PUBLIC certificate from the server. Analyze the certificate chain and check the client's trustStore.

A certificate can be validated with any type of client. However, each client can have its own trustStore.

  • For Windows browser, see the knowledge article How to check if a server SSL certificate is trusted by a Windows Browser .
  • For a Java application, see the knowledge article How to check if a server SSL certificate is trusted by Java command line windows or linux .
  • For Linux command line applications, see the knowledge article How to check if a server certificate is trusted by a Linux command line tool .
5

Verify the client used to establish the SSL connection


Note-down the client, the trustStore, and the client Keystore. The client Keystore is required only for the two-way SSL connection.

The following table describes the client, the trustStore, and the client Keystore:

ScenarioClient

Trust Store and

Client Keystore

Location of the trustStore/ Keystore

Use a browser to access Mid TierBrowserWindowsClient File System where the browser runs. Sometimes this is handled at the domain level.
Mid Tier cross launching to Smart ReportingMid TierJavaMid Tier Server File System.
Java application calling a Remedy Webservice (REST or SOAP)Java applicationJavaClient File System where the Java application runs.
Windows calling a Remedy Webservice (REST or SOAP)Windows applicationWindowsClient File System where the browser runs. Sometimes this is handled at the domain level.
Developer Studio loading WSDL into WorkflowDeveloper studioJavaClient File System where the Developer Studio runs
AR System Server workflow calling a third-party REST or SOAP Web serviceAR ServerJavaAR Server File System

Important: If the AR System Server is signed by a well-known certificate authority (CA), such as LetsEncrypt or Verisign, the certificates are trusted and these steps just ensure that the trust relationship is already established.

6

Analyze the javax.net.debug log if the certificates are not trusted by the client

Analyze the issue by collecting the javax.net.debug logs.

  • To enable javax.net.debug logs on the AR System Server for REST client and Webservices, see the knowledge article How to enable javax.net.debug logs on Remedy AR server for workflow invoking REST or SOAP webservices .
  • To enable javax.net.debug logs on Apache Tomcat for cross launch, see the knowledge article How to gather SSL evidence when Tomcat based applications try to connect to other SSL web servers .
  • To enable javax.net.debug logs on Developer Studio to load WSDL, see the knowledge article How to enable javax.net.debug log in Developer studio .

Warning: You can import certificates on the client trustStore. However, we do not recommend to use this as a solution because this might create an additional task. Also, once the certificate expires, you need to import it again on all possible clients.

If a signed certificate expires, the certificate needs to be changed only on the server.

7Enable Web service to request client certificates

The client certificate uses an additional SSL/Transport Layer Security (TLS) layer. We recommend using a well-known certificate authority (CA). Most Java servers and clients adhere to the standards.

After the client validates the server certificate, it sends the certificate to the server for validation. If the client does not send a certificate, the SSL connection is not established.

  • To enable client certificate for Apache Tomcat, see the knowledge article How to enable SSL on Tomcat and request client certificates .
  • To enable client certificate for the Jetty server, see the knowledge article How to enable SSL on Jetty server .

 After you determine a specific symptom or error message, use the following table to identify the solution:

SymptomLocationActionReference

The service does not start after you enable the SSL

Web server (Apache Tomcat or Jetty server)Check if the certificate is valid. See step 4.NA
A Java 6 application cannot connect to an SSL serviceAny integration application that tries to connect to an SSL Web service

We recommend to upgrade the Java version on the client side. Java clients on earlier versions do not support all TLS versions.

Transport level security (TLS) and Java in Oracle documentation.

Cannot change the self-signed certificates and unable to connect to the client

Java or browser based clients

Make sure that the steps described in the Resolution section are followed.

See the knowledge article Remedy AR System Server - How to import certificate for SSL/TLS-Remedy AR System Server See the knowledge article How to trust on a self signed certificate on a browser

The Web server requests a client certificate and the client does not allow to connect

Java clients try connecting to an SSL service. The server requests client certificatesContact the vendor of your application. The vendor provides client certificates for each client.

See the knowledge article How to install client certificates in java client

After upgrading the Java version on client or server, the integration fails with SSL handshake error

Analyze and collect the javax net debug logs on the client and server.

Either the trust relationship is lost or the Cipher compatibility might have an issue.

NA
The integration is not successful

Collect the information and send it to BMC Customer Support as a new case.

Use the following description format:

SSL problem between <Client> and <Server>, running in <Dev, QA or Production> after <actions performed> . The last time it was working fine was <date time>

  • The client, for example:
      • Browser connecting to a Webserver
      • Mid Tier cross launch to other applications
      • AR System Server invoking a third-party REST or SOAP call
  • The server, for example:
      • Apache Tomcat running Mid Tier, Smart Reporting , RSSO
      • Jetty server running on AR System Server
      • Other webservers hosting Mid Tier, Smart Reporting or other BMC and non-BMC web applications

  • Collect the javax.net.debug log. See step 6.
NA
Was this page helpful? Yes No Submitting... Thank you

Comments