Page tree
Skip to end of metadata
Go to start of metadata


Refer to the following topics to troubleshoot problems that may occur when creating, and importing signed certificates.

Atrium Single Sign-On Server fails to display the login screen

After you create signed certificates for the Atrium Single Sign-On Server and import them into required keystores and truststores, if the Atrium Single Sign-On Server status is shown as running, but the Atrium Single Sign-On Server fails to display the login screen:

Probable cause: The Atrium Single Sign-On Server certificate alias name is not tomcat

Resolution: If you create a signed certificate for Atrium Single Sign-On Server with a different alias name, ensure that the alias name is updated in the server.xml file. As a workaround, perform the following steps:

  1. Log on to the host computer where the Atrium Single Sign-On Server is installed.
  2. Navigate to the following directory location:
    • (Microsoft Windows<Atrium Single Sign-On Server Installation Directory>\tomcat\conf
    • (UNIX<Atrium Single Sign-On Server Installation Directory>/AtriumSSO/tomcat/conf
  3. Take a backup of the server.xml file.
  4. Open the server.xml file using a text editor.
  5. Search for the keyAlias tag.
  6. Modify the value by setting it with the changed alias name.
  7. Restart the Atrium Single Sign-On Server.

Infrastructure Management server fails to authenticate users after applying signed certificates

Infrastructure Management server fails to authenticate users after applying signed certificates.

Probable cause: This error may occur, if the Atrium Single Sign-On Server certificate is not imported into the Presentation Server truststore, and if the Presentation Server certificate is not imported into the Infrastructure Management server truststore.

ResolutionAs a workaround, perform the following steps:

  1. Log on to the host computer where the Presentation Server is installed.
  2. Navigate to the <TrueSight Presentation Server Installation Directory>\truesightpserver\modules\jre\lib\security directory location.
  3. Run the following command to import the Atrium Single Sign-On Server certificate into the Presentation Server truststore. 

    keytool -printcert -sslserver assoserver.bmc.com:8443 -rfc | keytool -importcert -keystore cacerts -storepass changeit -noprompt -alias atriumsso_server

    Note

    assoserver.bmc.com: Host name of the computer where the Atrium Single Sign-On server is installed.

    8443: Default port number of Atrium Single Sign-On Server.

  4. Run the following command to confirm that Atrium Single Sign-On Server certificate has been imported into the Presentation Server. 

    keytool -list -keystore cacerts | grep atriumsso_server

    Note

    changeit is the default password for the cacerts truststore. 

  5. Log on to the host computer where the TrueSight Infrastructure Management is installed.
  6. Navigate to the <Infrastructure Management Server Installation Directory>\pw\pronto\conf directory location.
  7. Run the following command to import the TrueSight Presentation Server certificate into the Infrastructure Management server truststore. 

    keytool -printcert -sslserver tspsserver.bmc.com:8043 -rfc | keytool -importcert -keystore pnserver.ks -storepass get2net -noprompt -alias truesightserver

  8. Run the following command to confirm that TrueSight Presentation Server certificate has been imported into the Infrastructure Management server. 

    keytool -list -keystore pnserver.ks | grep truesightserver

    Note

    get2net is the default password for the pnserver.ks keystore. 

  9. Restart the TrueSight Presentation Server.
  10. Restart the TrueSight Infrastructure Management.

For more information, see the following:

Httpd process is not starting after applying signed certificates to enable Infrastructure Management server browser communication.

After you apply security certificates to secure Infrastructure Management server browser communication, the httpd process fails to start, and Infrastructure Management server fails to display the login screen.

Probable cause: The Infrastructure Management server key and the certificate details might be incorrect in the httpd-conf.conf file.

Resolution: As a workaround, perform the following steps:

  1. Log on to the host computer where the Infrastructure Management server is installed.
  2. Using a text editor, open the httpd-ssl.conf file located in the <Infrastructure Management server Installation directory>\pw\apache\conf\extra directory location.
  3. Comment out the instances of the code lines having the SSLCertificateFile and SSLCertificateKeyFile details as shown in the following example code block: 

    #SSLCertificateFile "C:\Program Files\BMC Software\TrueSight\pw\apache\conf\my-server.cert"

    #SSLCertificateKeyFile "C:\Program Files\BMC Software\TrueSight\pw\apache\conf\my-server.key"

  4. Insert the code lines with new certificate and key file details as shown in the following example code block:  

    SSLCertificateFile "C:\Program Files\BMC Software\TrueSight\pw\apache\conf\tsim.cer"

    SSLCertificateKeyFile "C:\Program Files\BMC Software\TrueSight\pw\apache\conf\tsimSrv.key"

  5. Save and close the httpd-ssl.conf file.

  6. Restart the Infrastructure Management server.

For more information, see Implementing private certificates in the TrueSight Infrastructure Management.

TrueSight Presentation Server may display errors after creating and importing security certificates

After you have created signed certificate and imported it into the Presentation Server keystore, the Presentation Server may display one of the following error messages while launching the login screen: 

  • ERR_SSL_VERSION_OR_CIPHER_MISMATCH
  • ERROR Unable to load library esscfgJNI80 no esscfgJNI80 in java.library.path
  • ERROR Unable to load library bpwJNI80 no bpwJNI80 in java.library.path

Probable cause: The private key (.p12 file) is not present in the loginvault.ks keystore.

Resolution: As a workaround, perform the following steps:

  1. Navigate to the <TrueSight Presentation Server Installation Directory>\truesightpserver\conf\secure directory and locate loginvault.ks file.
  2. Take a backup of  loginvault.ks file.
  3. Run the following command to import the private key into the loginvault.ks keystore file. 

    keytool -v -importkeystore -srckeystore tsps.p12 -srcstoretype PKCS12 -destkeystore loginvault.ks -deststoretype JK

    Note

    tsps.p12 is the name of the private key. To know how to create a private key for the Presentation Server, see Implementing private certificates in the TrueSight Presentation Server.

  4. Run the following to ensure that the private key is imported into the loginvault.ks file. 

    keytool -list -keystore loginvault.ks

  5. Restart the Presentation Server.

Components display Java error PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException while trying to establish communication

When a client component is trying to connect to a server component, the following Java error might be displayed:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Probable cause: The error signifies that the client component doesn't have the public certificate for the server that it is trying to connect to. For example, in the context of Presentation Server to Atrium Single Sing-On Server communication, the Presentation Server is operating as a client and the Atrium Single Sing-On Server is operating as a Server. In this scenario, if you get the Java error, it means that the Atrium Single Sing-On Server certificate is not found in the Presentation Server truststore.

Resolution: As a workaround, perform the following steps:

Before establishing the communication between a client and a server, ensure that you create a signed certificate for the server and import this certificate to the client's truststore. For example, while establishing the communication between Atrium Single Sign-On server and Presentation Server, ensure that you create a signed certificate for the Atrium Single Sing-On server and import it into the Presentation Server truststore.

Missing configuration file error

If you are using OpenSSL utility to create and import signed certificates, there may be a missing openssl.conf file error as shown in the following example:

can't open config file: c:/openssl-win64/ssl/openssl.conf

Probable cause: The openssl.cnf configuration file is not present in the required directory location.

Resolution: As a workaround, perform the following:

Copy the openssl.conf file to the directory location indicated by the error. For example if the error is: can't open config file: c:/openssl-win64/ssl/openssl.conf, then copy the openssl.conf file to the c:/openssl-win64/ssl directory. 

TrueSight Presentation Server displays certificate expiry error in the TrueSight log file

Presentation Server may log an error in the TrueSight log file indicating that the certificate is expired. 

Probable cause: This may occur if you create signed certificates for the Presentation Server but do not import them into the cacerts truststore file.

Resolution: As a workaround, perform the following:

  1. Navigate to the directory where the cacerts keystore is located.

    Windows operating system: <TrueSight Presentation Server Installation Directory>\truesightpserver\modules\jre\lib\security 

    Linux:<TrueSight Presentation Server Installation Directory>/truesightpserver/modules/jre/lib/security

  2. Copy cacerts keystore file and rename it as cacerts-update.

  3. List all the keys in the cacerts-update by running the following command: 

    keytool -list -keystore cacerts-update -storepass changeit


    Note

    changeit is the default password for the cacerts-update keystore. 

  4. Delete the existing certificate aliases if any from the cacerts-update truststore file by running the following command: 

    keytool -delete -alias root -keystore cacerts-update -storepass changeit

    keytool -delete -alias intermediateCA -keystore cacerts-update -storepass changeit

    keytool -delete -alias truesightserver -keystore cacerts-update -storepass changeit


  5. Copy the signed certificates such as RootCA.cer, intermediateCA.cer, and truesightPS.cer to the current directory, and import these certificates into the cacerts-updade keystore by running the following command: 

    keytool -importcert -trustcacerts -alias root -keystore cacerts-update -storepass changeit -file RootCA.cer

    You are prompted with the Trust this certificate question, type Yes

    keytool -importcert -trustcacerts -alias intermediateCA -keystore cacerts-update -storepass changeit -file intermediateCA.cer

    You are prompted with the Trust this certificate question, type Yes

    keytool -importcert -alias truesightserver -keystore cacerts-update -storepass changeit -file truesightPS.cer


  6. Rename the cacerts file as cacerts.orig.
  7. Copy cacerts-update keystore file and rename it as cacerts.
  8. Restart the Presentation Server.

Where to go from here

To check other troubleshooting information, see Troubleshooting.

For more information about creating and importing signed certificates Implementing private certificates in TrueSight Operations Management.

  • No labels