Symantec IGA

 View Only
  • 1.  SSL issue in vAPP- how to add cert to keypath

    Posted Jan 18, 2022 05:14 AM
    Hello Team.

    My customer is using PX to connect to an endpoint via REST. We are using vAPP 14.3

    We are seeing this error message:
    The test has failed to run with following error: "Failed invoking REST operation " which was caused by "sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;unable to find valid certification path to requested target".


    I assume I need to add the cert to the JVM keypath using keytool.

    Do you have the exact command to use under vAPP?

    Thanks


  • 2.  RE: SSL issue in vAPP- how to add cert to keypath

    Broadcom Employee
    Posted Jan 19, 2022 05:26 PM
    Hello Charly,

    Please see this KB article: https://knowledge.broadcom.com/external/article/138526/vapp-import-certificates-for-px-user.html
    It does not provide exact command, but it states that IM keystore in vApp is accessible to config user, so you can use config user to run keytool

    -Dmytry


  • 3.  RE: SSL issue in vAPP- how to add cert to keypath

    Posted Jun 01, 2023 04:25 AM

    Hi Dymetry ,

    Could you please share more information or document regarding this . that contains comands in detail .

    Thanks



    ------------------------------
    Network and security Engineer technical associative
    Cas Trading House
    Putalisadak, KTM
    ------------------------------



  • 4.  RE: SSL issue in vAPP- how to add cert to keypath

    Posted Jun 01, 2023 04:25 AM

    Hi Dymetry ,

    Could you please share more information or document regarding this . that contains comands in detail .

    Thanks



    ------------------------------
    Network and security Engineer technical associative
    Cas Trading House
    Putalisadak, KTM
    ------------------------------



  • 5.  RE: SSL issue in vAPP- how to add cert to keypath

    Posted Jun 02, 2023 10:42 AM

    Hi Sudip,

    Keep in mind there are several java keystores for the vApp.

    Most are used for inbound traffic, e.g. Apache/Wildfly


    # Embedded Apache Java Keystore location (used for inbound communication to vApp console):  
    /opt/CA/VirtualAppliance/custom/apache-ssl-certificates

    # Three (3) Wildfly Certificates (used for inbound communication):
    /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates

    The primary out-bound keystore is the default java AdoptOpenJDK keystore (used by IM for PX rules & IG processes):

    • The permissions on this java keystore is group writable by the 'config' user ID.
    • -rwxrwxr-t 1 root config 106918 Apr 21 12:58

    /opt/CA/java/jre/lib/security/cacerts

    To use this outbound java keystore, I am enclosing the following example for two (2) types of two public CA root certs to add.   A LetsEncrypt wildcard domain cert (very useful) and a MS Windows AD Domain public CA root cert.

    - Import a cert for MS Windows server or a SANS public cert to the AdoptOpenJDK keystore used by IM or IG for out-bound calls to the remote server, when asked to trust, answer YES


    keytool -import -alias caim-srv-san -trustcacerts -file caim-srv.crt -storetype JKS -keystore /opt/CA/java/jre/lib/security/cacerts -storepass changeit



    echo -n yes | keytool -import -alias exchange-lab-public-root-cert -trustcacerts -file exchange-lab-public-root-cert.cer -storetype JKS -keystore /opt/CA/java/jre/lib/security/cacerts -storepass changeit


    After you import the public CA root certs into the java AdoptOpenJDK keystore, you may view them:

    keytool -v -list -storetype jks -storepass changeit   -keystore  /opt/CA/java/jre/lib/security/cacerts

    Strong Recommendation: 

    Test if you have the proper public CA root cert before you add it to the java keystore, use openssl binary as a base check.

    # Should show VERIFY RETURN CODE=0 with the public CA root cert (that is stored in the AdoptOpenJDK keystore)

    true | openssl s_client -connect `hostname`:443 -showcerts -CAfile  caim-srv.crt

    true | openssl s_client -connect `hostname`:636 -showcerts -CAfile  exchange-lab-public-root-cert.cer

    If you do NOT see return code zero (0), you may have the wrong public CA root cert, or an older one in the remote repository that is interfering and needs to be replaced/removed.


    See if this helps

    Cheers,

    Alan Baugher



    ------------------------------
    Alan Baugher
    ANA
    ------------------------------