1 2 Previous Next 17 Replies Latest reply on Apr 23, 2014 7:06 AM by Bill Robinson

    Failure to verify proxy server certificate.

      Hello,  We recently started to run into an issue on 7.6 where starting NSH gave "Failure to verify proxy server certificate.". (We're using NSHproxy)  I've learned that if I went to the Application/File server and tried to authenticate, I get :  Authentication failure: Cannot connect to "service:authsvc.bladelogic:blauth://blappfs1.example.com:9840" - java.security.cert.CertificateExpiredException: NotAfter: Tue May 22 13:32:07 EDT 2012  At first I thought it was rscd, so I stopped rcsd, removed /usr/lib/rsc/certificate.pem and restarted it, but still not working. So now I'm not sure what/where the cert is.   Any leads? Any leads how to resolve it?  Thanks, Tuc

        • 2. Re: Failure to verify proxy server certificate.

          The article was not found, or is no longer available.

          • 3. Re: Failure to verify proxy server certificate.
            Sean Berry

            Knowledge Article ID:                     KA347453

            Version:                              1.0

            Available To:                      Internal

            Status:                  Published

            Published date:                 04/12/2011

             

                           This content has not been validated for general customer distribution.

            • 4. Re: Failure to verify proxy server certificate.
              Bill Robinson

              Example:
              keytool -genkey -alias blade -keyalg RSA -keysize 1024 -dname "CN=hostname" -keypass <keystore_password> -storepass <keystore_password> -keystore "<install_dir>\br\bladelogic.keystore" -validity 1000

               

              copy this file into br\deployments\*\bladelogic.keystore

               

              Verify the settings within the blasadmin utility, using the following commands:
              show app CertStore

               

              You may also need to set the password of the certificate using these commands

               

              Blasadmin -a
              set ProcessSpawner KeystorePassword <password>
              set app CertPasswd <password>

               

              Blasadmin -s _spawner
              set ProcessSpawner KeystorePassword <password>
              set app CertPasswd <password>

               

              blasadmin -s _launcher
              set appserverlauncher KeyStorePassword <password>

               

              Stop and restart appserver service.

               

              login to bsa

              • 5. Re: Failure to verify proxy server certificate.

                I'm not a general customer. Not even a major. Private. :)

                • 6. Re: Failure to verify proxy server certificate.

                  frigg% blcred cred -acquire

                  username: tuctboh

                  password:

                  Do you want to accept the following X509 certificate from "service:authsvc.bladelogic:blauth://blappfs1.example.com:9840"?

                   

                  Alias:                service:authsvc.bladelogic:blauth://blappfs1.example.com:9840

                  Version:              V1

                  Serial number:        4f c6 4e f6

                  Issued to:            CN=blappfs1.example.com

                  Issued by:            CN=blappfs1.example.com

                  Valid from:           Wed May 30 11:46:46 GMT-05:00 2012

                  Valid to:             Sun Oct 16 11:46:46 GMT-05:00 2039

                  Signature algorithm:  MD5withRSA

                  MD5 thumbprint:       2b 3d e0 36 1d 23 83 e8 17 1b bb 09 9f bc 0f f1

                  SHA-1 thumbprint:     f2 f3 30 38 22 0f db 31 ad 8b c7 83 59 bb 16 be 8a 21 09 36

                   

                  ?[yes|no]: yes

                  Authentication succeeded: acquired session credential

                  frigg% exit

                  [tuc@frigg Desktop]$ nsh

                  Failure to verify proxy server certificate.

                  Error in Initializing RBAC User and Role (SSO Proxy)

                  Network Shell can be used for local access

                  frigg% blcred cred -destroy

                  frigg% blcred cred -acquire

                  username: tuctboh

                  password:

                  Authentication succeeded: acquired session credential

                  frigg% exit

                  [tuc@frigg Desktop]$ nsh

                  Failure to verify proxy server certificate.

                  Error in Initializing RBAC User and Role (SSO Proxy)

                  Network Shell can be used for local access

                  frigg% cd //uslw1

                  Failure to verify proxy server certificate.

                  cd: error in TLS protocol: //uslw1

                  frigg%

                   

                   

                  If I go onto my appserver and do this, it works, however restarting nsh doesn't ask me my role. When I cd //SERVER I get :

                   

                  6e1f32ef366f00da5d8d 0000002252 05/30/12 13:08:29.763 INFO     rscd -  192.168.1.69 26375 0/0 (tuctboh): nsh: nsh

                  2f157edb050f486ce43b 0000002253 05/30/12 13:08:29.764 WARN     rscd -  192.168.1.69 26375 0/0 (tuctboh): nsh: Certificate check failed

                   

                  I have a weird feeling I should be doing something with /usr/lib/rcs/securecert

                  • 7. Re: Failure to verify proxy server certificate.
                    Bill Robinson

                    did you copy this new bladelogic.keystore to all of the appservers in the environment?  are you using a standalone nsh proxy?

                    • 8. Re: Failure to verify proxy server certificate.

                      Yes, and yes... 

                      Combination app/file server :

                      /usr/nsh/br/java/bin/keytool -genkey -alias blade -keyalg RSA -keysize 1024 -dname "CN=blappfs1.example.com" -keypass 'PASSWORD<>' -storepass 'PASSWORD!<>' -keystore "bladelogic.keystore" -validity 10000

                      cp bladelogic.keystore /usr/nsh/br/deployments/blappfs1_example_com/bladelogic.keystore

                      chown bladmin:bladmin /usr/nsh/br/deployments/blappfs1_example_com/bladelogic.keystore

                      cp bladelogic.keystore /usr/nsh/br/deployments/default/bladelogic.keystore

                      chown bladmin:bladmin /usr/nsh/br/deployments/default/bladelogic.keystore

                      cp bladelogic.keystore /usr/nsh/br/deployments/_launcher/bladelogic.keystore

                      chown bladmin:bladmin /usr/nsh/br/deployments/_launcher/bladelogic.keystore

                      cp bladelogic.keystore /usr/nsh/br/deployments/nsh_proxybe/bladelogic.keystore

                      chown bladmin:bladmin /usr/nsh/br/deployments/nsh_proxybe/bladelogic.keystore

                      cp bladelogic.keystore /usr/nsh/br/deployments/nsh_proxy/bladelogic.keystore

                      chown bladmin:bladmin /usr/nsh/br/deployments/nsh_proxy/bladelogic.keystore

                      cp bladelogic.keystore /usr/nsh/br/deployments/_pxe/bladelogic.keystore

                      chown bladmin:bladmin /usr/nsh/br/deployments/_pxe/bladelogic.keystore

                      cp bladelogic.keystore /usr/nsh/br/deployments/_spawner/bladelogic.keystore

                      chown bladmin:bladmin /usr/nsh/br/deployments/_spawner/bladelogic.keystore

                      cp bladelogic.keystore /usr/nsh/br/deployments/_template/bladelogic.keystore

                      chown bladmin:bladmin /usr/nsh/br/deployments/_template/bladelogic.keystore

                      (I know it mentions NSH_PROXY here, but those were created here to be moved to the NSH proxy.)  

                       

                      nsh proxy:

                      /usr/nsh/br/java/bin/keytool -genkey -alias blade -keyalg RSA -keysize 1024 -dname "CN=blappfs1.example.com" -keypass 'PASSWORD<>' -storepass 'PASSWORD!<>' -keystore "bladelogic.keystore" -validity 10000

                      cp bladelogic.keystore /usr/nsh/br/deployments/default/bladelogic.keystore

                      chown bladmin:bladmin /usr/nsh/br/deployments/default/bladelogic.keystore

                      cp bladelogic.keystore /usr/nsh/br/deployments/_launcher/bladelogic.keystore

                      chown bladmin:bladmin /usr/nsh/br/deployments/_launcher/bladelogic.keystore

                      cp bladelogic.keystore /usr/nsh/br/deployments/nsh_proxybe/bladelogic.keystore

                      chown bladmin:bladmin /usr/nsh/br/deployments/nsh_proxybe/bladelogic.keystore

                      cp bladelogic.keystore /usr/nsh/br/deployments/nsh_proxy/bladelogic.keystore

                      chown bladmin:bladmin /usr/nsh/br/deployments/nsh_proxy/bladelogic.keystore

                      cp bladelogic.keystore /usr/nsh/br/deployments/_spawner/bladelogic.keystore

                      chown bladmin:bladmin /usr/nsh/br/deployments/_spawner/bladelogic.keystore

                      cp bladelogic.keystore /usr/nsh/br/deployments/_template/bladelogic.keystore

                      chown bladmin:bladmin /usr/nsh/br/deployments/_template/bladelogic.keystore

                      (I checked, our NSH proxy claimed the CN was blappfs1.example.com) 

                       

                      Thank you, Tuc

                      • 9. Failure to verify proxy server certificate.
                        Joe Piotrowski

                        Was this resolved or is this still an open issue?

                        • 10. Failure to verify proxy server certificate.

                          Still very much an issue. I'm still thinking there is something I need to do with the securecert file, but can't find my notes from the original install.

                          • 11. Failure to verify proxy server certificate.
                            Bill Robinson

                            in the begining you said you removed /usr/lib/rsc/certificate.pem.  did you put that back ?

                            • 12. Re: Failure to verify proxy server certificate.

                              Should I? When you restart rscd it re-creates it. (Which I did)

                               

                              Tuc

                              • 13. Re: Failure to verify proxy server certificate.
                                Jim Wilson

                                Hi Tuc,

                                 

                                Please can you update the thread with the resolution.

                                 

                                Thanks & Regards,

                                Jim (Forum Admin)

                                • 14. Re: Failure to verify proxy server certificate.

                                  Hi,

                                  I am also facing similar issues.

                                  When I run the following command

                                  BBSA% blmkcert CN=hostname "C:\Program Files\BMC Software\BladeLogic\NSH\br\blad

                                  elogic.keystore" Passw0rd123

                                   

                                  It responded with the following line and it did not generate bladelogic.keystore file.

                                  <distinguished name> <jks file name> <passcode>

                                   

                                  And please also suggest what should be done remove the following error

                                   

                                  Error in Initializing RBAC User and Role (SSO Proxy)


                                  Thanks n regards,

                                  Chandra

                                  1 2 Previous Next