5 Replies Latest reply on Mar 8, 2016 12:36 PM by Todd Schaal

    getting ssl warning in compliance jobs after 8.7 upgrade

    Todd Schaal

      Failed to read server's response: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Error signing certificate verify(component=Linux-RHEL5-Standard-Config (ltacgplum07), rule=NTP-Config: "")

       

       

      I am  still able to live browse the agents?

        • 1. Re: getting ssl warning in compliance jobs after 8.7 upgrade
          Bill Robinson

          can you connect to the target w/ nsh from the appserver ? is there anything in the rscd log at the same time? 

          • 2. Re: getting ssl warning in compliance jobs after 8.7 upgrade
            Todd Schaal

            No I can't.  Here is what I get:

            d7755ae10e11a9ed35ee 0000000697 02/25/16 10:54:01.974 WARN     rscd -  10.22.34.115 6184 0/0 (BLAdmins:BLAdmin): agentinfo: Certificate check failed

             

            here is my secure file on my agent server:

            [root@vlslcsat01 log]# cat /etc/rsc/secure

            rscd:port=4750:protocol=5:tls_mode=encryption_and_auth:encryption=tls:

            default:port=4750:protocol=5:tls_mode=encryption_and_auth:appserver_protocol=ssoproxy:encryption=tls:

             

            and here is my thumbprint file:

             

            [root@vlslcsat01 log]# cat /opt/bmc/bladelogic/RSCD/certs/SYSTEM

            FFA147A02C2C2E45F24D52E99FC5D787F6AAAE6A

            91890AE42AF513D64159FFC49CA7F4BAD368D690

            F705E6F6D9D55504896F270A3F334709968165D6

             

             

            here is the secure file on my app server:

             

            PS C:\Windows\system32> Get-Content C:\Windows\rsc\secure

            rscd:port=4750:protocol=5:tls_mode=encryption_only:encryption=tls:

            default:port=4750:protocol=5:tls_mode=encryption_and_auth:encryption=tls:

            PS C:\Windows\system32>

             

             

            I verified my C:\Windows\rsc\certs\SYSTEM\id.pem and C:\Windows\rsc\securcert dates and they have not changed?

            • 3. Re: getting ssl warning in compliance jobs after 8.7 upgrade
              Todd Schaal

              Also if I open an NSH prompt from the BL Console on my PC (tat's configured to use the NSH proxy) everything is fine:

               

              vmslcblasp01% agentinfo vlslcsat01

              vlslcsat01:

                Agent Release   : 8.6.01.66

                Hostname        : vlslcsat01.regence.com

                Operating System: Linux 2.6.18-407.el5

                User Permissions: 0/0 (root/root)

                Security        : Protocol=5, Encryption=TLS1 with X.509 Certificates

                Host ID         : 160A2109

                # of Processors : 2

                License Status  : Licensed for NSH/CM

              vmslcblasp01% agentinfo vlslcutil01

              vlslcutil01:

                Agent Release   : 8.6.01.66

                Hostname        : vlslcutil01.regence.com

                Operating System: Linux 2.6.18-407.el5

                User Permissions: 0/0 (root/root)

                Security        : Protocol=5, Encryption=TLS1 with X.509 Certificates

                Host ID         : 160A908A

                # of Processors : 1

                License Status  : Licensed for NSH/CM

              vmslcblasp01%

               

              Seems like for some reason the NSH instance on my app server can't find  or open the id.pem file????

              • 4. Re: getting ssl warning in compliance jobs after 8.7 upgrade
                Bill Robinson

                encryption_and_auth shouldn't be set in the 'default' line in the secure file on any server.  it's only set for the rscd line where you want encryption enabled.

                 

                there's a defect in 8.7 related to the bl_gen_ssl where it's not generating a 2048 bit key and java 8 doesn't handle that - did you regenerate and re-push the cert ?

                 

                also - is there a support ticket for this ?

                • 5. Re: getting ssl warning in compliance jobs after 8.7 upgrade
                  Todd Schaal

                  Yes I opened a ticket on this and got it resolved.  Thanks

                   

                  Thank You,

                   

                  Todd Schaal