CA Service Management

Configured Mobile CA SDM on Secondary Server recently. After Configuring SSL The URL is not Working. The environment is 1 Primary+ 1 Secondary (DMZ) server. 

# Version of CA SDM
14.1

# do you find mobile app working using http.
Yes

# Are you using self signed certificate/ Vendor certificate.
Vendor certificate

# Steps you have followed to import the certificate.
https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec587823.html

URL:

SSL: https://hostname:8449/mobiledemo/login.html
Tomcat : http://hostname:8050/mobiledemo/login.html

Please find the screenshot for error screen

Hi,

They was a similar issue posted recently: Configure REST SSL on CA ServiceDesk 14.1 

If I recall correctly the final resolution was to import the cert (and trusted chain )to your mobile.

Hope this help

/J

Note that I did just look your screenshot is not from the mobile app and display differnt error not related.

you need to make sure that the protocol and cypher used in your SSL connecotr is supported an enabled in your browser.

for IE as an example:

/J

Thanks for the reply.. The IE settings are same as above..still not working

Below an example of a tomcat SSL  connector config supporting all TLS version and outdated cypher (recent tomcat release only support last protocol by default. 128 cyphers are there as example but not secure anymore and must not be used in pubicly exposed env):

<Connector SSLEnabled="true" clientAuth="false" keystoreFile="E:\SSL\mystore.jks" keystorePass="mypass" keystoreType="PKCS12" maxThreads="200" port="443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" />

Hope this help

/J

Hi Jerome, I tried with these Cyphers. No impact, still same screen.

Hey Bhaskar

The error seems to indicate that either you are not restricting good ciphers only (via server.xml) or one of the keys in the keystore is not being read properly and so the misleading error.

Can you post your server.xml entry for your SSL connector (you can mask the password and keystore location)

_R

Hi Raghu,

Thanks for the reply.. I tried with these four types. 

///////////////////////////////////////////

<Connector SSLEnabled="true" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_ CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_C BC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CB C_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC _SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WI TH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" clientAuth="false" keystoreFile="*****" keystorePass="*****" keystoreType="PKCS12" maxThreads="200" port="8449" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>

///////////////////////////////////////////////////////////////

<Connector SSLEnabled="true" clientAuth="false" keystoreFile="*****" keystorePass="*****" keystoreType="PKCS12" maxThreads="200" port="8449" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"/>

////////////////////////////////////////////////////////////////
<Connector SSLEnabled="true" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" clientAuth="false" keystoreFile="*****" keystorePass="*****" keystoreType="PKCS12" maxThreads="150" port="8449" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>
<Connector SSLEnabled="true"

/////////////////////////////////////////////////////////////////

ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_ CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_C BC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CB C_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC _SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WI TH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" clientAuth="false" keystoreFile="*****" keystorePass="******" keystoreType="PKCS12" maxThreads="150" port="8449" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>

///////////////////////////////////////////////////////////////

Can you raise out a support case for this one and hit me up please,   The connector entry on its own looks OK,  maybe you're missing something else in the keystore (the whole cert chain) that's causing this misleading error.

_R