This documentation supports the 20.02 version of BMC Digital Workplace Advanced.

To view an earlier version, select the version from the Product Version menu.

Troubleshooting integration with SSL

This topic describes how to troubleshoot issues related to integrating BMC Digital Workplace and SSL.

BMC does not maintain or fix SSL certificates. Technicians will do their best effort to assist you with issues related to SSL and BMC Digital Workplace, but it is the customer's responsibility to fix and maintain their own SSL certificates.

BMC Support will always help with application configuration and can provide hints on what could be wrong with the certificates, but not more.

Port Restrictions

On Linux environments, only root users can bind processes to port 80 and 443. Non-root users cannot run applications on those two ports. (This is not a problem on Windows servers.) To resolve this issue, contact your system administrator.

Alternatively, you can use port 8080 or 8443, or have your load balancer perform redirects. BMC recommends offloading SSL via load balancer rather than enabling SSL on the servers.

Issue symptoms

  • Which symptoms occur?
    • BMC Digital Workplace Tomcat does not start after SSL is enabled.
    • BMC Digital Workplace Catalog does not start after SSL is enabled, or authentication fails during startup when SSL is enabled.
    • BMC Digital Workplace Catalog User Sync is not working on SSL.
    • BMC Digital Workplace Catalog loops during startup after SSL was configured.
    • BMC Digital Workplace Admin Console displays an error when enabling the Enhanced Catalog or when setting BMC Digital Workplace Catalog sections. A PKIX error occurs.
    • Cannot consume BMC Digital Workplace Catalog services or cannot see BMC Digital Workplace banners in BMC Digital Workplace.
    • Notes or approvals for BMC Digital Workplace Catalog services do not work.
    • BMC Remedy ITSM displays an error when you test the connection between BMC Digital Workplace Catalog and the BMC Remedy ITSM AR System server.

  • In which object or user interface do you see the symptoms?
    • BMC Remedy ITSM and BMC Digital Workplace Catalog backend forms show SSL and connectivity errors while testing the connection between BMC Remedy ITSM and BMC Digital Workplace Catalog.
    • BMC Digital Workplace Admin Console: Enhanced Catalog section and Setting Up Catalog Sections section
    • BMC Digital Workplace Tomcat logs
    • BMC Digital Workplace Catalog: Linux terminal (BMC Digital Workplace Catalog loops during restart.)
    • BMC Digital Workplace cannot fetch BMC Digital Workplace Catalog services, BMC Remedy ITSM modules, or BMC Remedy with Smart IT (Smart IT) notes.
    • BMC Digital Workplace Catalog: Linux terminal (After restarting BMC Digital Workplace Catalog, user_group_sync.log shows entries such as SSLHandshakeException.)

  • What steps produce the issue?
    • Follow BMC Digital Workplace documentation and enable SSL.
    • On BMC Digital Workplace:
      1. In the  BMC Digital Workplace Admin console, go to Configuration.
      2. Select Enhanced Catalog under Configuration.
      3. In the URL field, enter the BMC Digital Workplace Catalog URL.
      4. You might see these issues:
        • When you go to Service Requests > Catalog Sections, you receive an authentication error when you try to add new sections.
        • Tomcat does not start after a restart.
        • You try to consume the BMC Digital Workplace Catalog service via BMC Digital Workplace, but services and banners are gone.
        • You cannot log in to BMC Digital Workplace via Remedy SingleSign-On (RSSO).
    • On BMC Digital Workplace Catalog:
      • An Authentication Failed error appears in the Linux Terminal after you restart the BMC Digital Workplace Catalog service.
      • A BMC Digital Workplace Catalog restart loops during startup.
      • You received a double authentication page while logging in via RSSO.
      • An Authentication Failed error appears in use_group_sync.log with entries such as SSLHandshakeException.
    • On BMC Remedy ITSM:
      • Click on the test connection after you include the SSL port and protocol in the BMC Digital Workplace Catalog URL on the ITSM backend forms.
  • What is the text of the message?
    • BMC Digital Workplace Admin Console:

      PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    • BMC Remedy ITSM backend forms (SB:TestRemoteAction and SBE:ConnectionConfig):

      Connection failed

    • BMC Digital Workplace Catalog Linux terminal: 

      Authentication Failed (You can also see this error in the bundle.log file.)

    • BMC Digital Workplace Catalog User Group Sync logging:

      SSLHandshake/PKIX error

    • Errors related to BMC Digital Workplace Catalog in the dwp.log file
    • BMC Digital Workplace Tomcat catalina.out log file:
      SEVERE: Could not start listener due to previous errors
    • BMC Digital Workplace/RSSO:
      Not connecting/Double Login Screen.

Issue scope

The following issues describe the scope, and they cannot be resolved until the certificate issues are resolved:

  • Server startup will be impacted and services will not start. 
  • New users will not be able to use BMC Digital Workplace Catalog and will not be imported to the Catalog. 
  • RSSO login will break, which will make the application unavailable. 
  • Communication with other applications will be affected.
  • Simple use cases (such as updating notes) will not work.

Diagnosing and reporting an issue

After you identify the symptoms and scope of the issue, use this troubleshooting guide to help the customer diagnose and resolve the issue or to create a BMC Support case. 

TaskActionStepsReference
1

Troubleshoot



  • Because certificates have an expiry date, make sure the certificate is not expired prior moving forward. You can use the following keytool command:

keytool -list -v -alias alias -keystore keystore -storepass password | grep "Valid from:"

  • For BMC Digital Workplace Tomcat server.xml, TrustStore files, and catalina.out for SEVERE errors, see
    https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html.
  • Check BMC Digital Workplace Catalog config files and TrustStore files. For more information, see the reference in the next column.
  • Check Tomcat logs for BMC Digital Workplace, and look for any SEVERE entries.
  • Check the BMC Digital Workplace Catalog arerror.log for SSL issues.
  • Check KeyStore entries, host name entries, and DNS resolution.
  • Use SSL Poke to confirm whether the certificates are correct.

See https://communities.bmc.com/docs/DOC-117011 for information on SSL troubleshooting.


2

Self-resolve



  • Check the SSL on DWP Catalog PowerPoint file to review your BMC Digital Workplace Catalog SSL configuration.
  • Check the KA for User Group Sync issues.
  • Use SSLPoke.class file and try to hit Server A from Server B and vice versa.
  • Import certificates from Server A to Server B and vice versa.
  • If entries are missing, re-create the certificate with all the DNS, host name, other necessary entries.
  • Update configuration files where needed.
  • Update firewall and load balancer rules if needed.


SSL on DWP Catalog PowerPoint file

SSLPoke.class file


3

Report



  • Go to your security, system administrator, or network team first and make sure that the firewall, load balancer, and permissions are configured properly.
  • Contact your certificate authority (CA) provider and confirm that all entries have been added.
  • Contact BMC Support.

To get support from BMC Support :

  • File a ticket
  • Start a discussion
4

Send diagnostics



  • For BMC Digital Workplace issues, send the catalina.out, server.xml, and dwp.log files.

  • For BMC Digital Workplace Catalog issues, send the arerror.log, jetty-http.xml, setenv.sh, set_script_variables.sh files.

  • For both products, send the host name and DNS details.

Possible diagnostics include:

  • DNS, host name, or alias entries are missing from Keystore.
  • Ports are blocked or are trying to use root reserved ports (80 and 443) with non-root users.
  • The certificate has expired.
  • The certificate is not complete; for example, a chain is missing.
  • Wrong details are in configuration files.
  • An issue with the environment: firewall or network-related issues.
  • The root certificate does not exist.
  • Truststore does not have the other server's or application's certificate.
5Apply fix

Check Resolution for common issues.

Note: The fix may vary depending on the root cause of the issue: missing entries, wrong data in config files, environment configuration issues.

Resolutions for common issues

SymptomActionReference
  • Cannot see BMC Digital Workplace services or banners in BMC Digital Workplace
  • Cannot see BMC Digital Workplace Catalog services, notes, notifications, or approvals in BMC Remedy ITSM, SmartIT, or BMC Digital Workplace

Import the BMC Digital Workplace Catalog certificate to BMC Digital Workplace Tomcat Truststore, BMC Remedy ITSM Server, SmartIT Server and viceversa. This can be the Java cacerts certificate or a user-defined one.


  • BMC Digital Workplace Catalog showing Authentication Failed during startup
Add missing DNS entries, and update BMC Digital Workplace Catalog configuration files. The certificate needs a certificate chain, which was not included during the import of the certificates.
  • User Group Sync not working
Add TrustStore path and password to user_group_sync.sh script.https://communities.bmc.com/docs/DOC-61820
  • RSSO authentication not working
Import RSSO certificate to BMC Digital Workplace and BMC Digital Workplace Catalog TrustStore and vice versa. Confirm that the application's entries exist in the keystore.https://communities.bmc.com/docs/DOC-117011
  • BMC Digital Workplace Tomcat not starting SSL is enabled
  • Check the SSL connector.
  • Make sure there are no open brackets.
  • Make sure that you can use the port and that the port is not being used for any other application or connector.
  • Confirm that the certificate defined under the SSL connector exists.
  • Confirm that the path and file are in the correct format and that the keystore password is correct.
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
  • BMC Digital Workplace Catalog 19.11 upgrade failed when SSL is enabled

Follow KA https://communities.bmc.com/docs/DOC-124466.

This defect is fixed for 20.02 and later versions.
Was this page helpful? Yes No Submitting... Thank you

Comments