Hi Sudip,
Keep in mind there are several java keystores for the vApp.
Most are used for inbound traffic, e.g. Apache/Wildfly
# Embedded Apache Java Keystore location (used for inbound communication to vApp console):
/opt/CA/VirtualAppliance/custom/apache-ssl-certificates
# Three (3) Wildfly Certificates (used for inbound communication):
/opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates
The primary out-bound keystore is the default java AdoptOpenJDK keystore (used by IM for PX rules & IG processes):
- The permissions on this java keystore is group writable by the 'config' user ID.
- -rwxrwxr-t 1 root config 106918 Apr 21 12:58
/opt/CA/java/jre/lib/security/cacerts
To use this outbound java keystore, I am enclosing the following example for two (2) types of two public CA root certs to add. A LetsEncrypt wildcard domain cert (very useful) and a MS Windows AD Domain public CA root cert.
- Import a cert for MS Windows server or a SANS public cert to the AdoptOpenJDK keystore used by IM or IG for out-bound calls to the remote server, when asked to trust, answer YES
keytool -import -alias caim-srv-san -trustcacerts -file caim-srv.crt -storetype JKS -keystore /opt/CA/java/jre/lib/security/cacerts -storepass changeit
echo -n yes | keytool -import -alias exchange-lab-public-root-cert -trustcacerts -file exchange-lab-public-root-cert.cer -storetype JKS -keystore /opt/CA/java/jre/lib/security/cacerts -storepass changeit
After you import the public CA root certs into the java AdoptOpenJDK keystore, you may view them:
keytool -v -list -storetype jks -storepass changeit -keystore /opt/CA/java/jre/lib/security/cacerts
Strong Recommendation:
Test if you have the proper public CA root cert before you add it to the java keystore, use openssl binary as a base check.
# Should show VERIFY RETURN CODE=0 with the public CA root cert (that is stored in the AdoptOpenJDK keystore)
true | openssl s_client -connect `hostname`:443 -showcerts -CAfile caim-srv.crt
true | openssl s_client -connect `hostname`:636 -showcerts -CAfile exchange-lab-public-root-cert.cer
If you do NOT see return code zero (0), you may have the wrong public CA root cert, or an older one in the remote repository that is interfering and needs to be replaced/removed.
See if this helps
Cheers,
Alan Baugher
------------------------------
Alan Baugher
ANA
------------------------------
Original Message:
Sent: Jun 01, 2023 04:25 AM
From: sudip karmacharya
Subject: SSL issue in vAPP- how to add cert to keypath
Hi Dymetry ,
Could you please share more information or document regarding this . that contains comands in detail .
Thanks
------------------------------
Network and security Engineer technical associative
Cas Trading House
Putalisadak, KTM
Original Message:
Sent: Jan 19, 2022 05:26 PM
From: Dmytro Kvyatkovsky
Subject: SSL issue in vAPP- how to add cert to keypath
Hello Charly,
Please see this KB article: https://knowledge.broadcom.com/external/article/138526/vapp-import-certificates-for-px-user.html
It does not provide exact command, but it states that IM keystore in vApp is accessible to config user, so you can use config user to run keytool
-Dmytry
Original Message:
Sent: Jan 18, 2022 05:14 AM
From: charly setbon
Subject: SSL issue in vAPP- how to add cert to keypath
Hello Team.
My customer is using PX to connect to an endpoint via REST. We are using vAPP 14.3
We are seeing this error message:
The test has failed to run with following error: "Failed invoking REST operation " which was caused by "sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;unable to find valid certification path to requested target".
I assume I need to add the cert to the JVM keypath using keytool.
Do you have the exact command to use under vAPP?
Thanks