08-04-2020 09:39 AM
Software: CVP 12.5 (no E.S.)
I've found myself a bit stumped following the steps outlined in Chapter 17 "Unified CVP Security" of the CVP 12.5 Configuration Guide. In particular, I am struggling with 'Secure JMX Communication between OAMP and Call Server using Mutual Authentication'.
I have completed all the steps using an Internal CA (Microsoft Certificate Authority). Everything is fine until I change the config files for jmx_*.conf to com.sun.management.jmxremote.ssl.need.client.auth = true. I rebooted afterward rather than worry about restarting the processes.
At that point, the OAMP Control Center flags the device as Unreachable. This is a labonly configuration (which I hope isn't the issue because it seemed like an all in one box would be a lot easier to learn on than multiple boxes). I believe the OAMP log messages here reflect this issue:
4: 192.168.223.20: Aug 04 2020 08:22:10.522 -0700: %CVP_12_5_OAMP-3-OAMP_OMGR_JMX_CONNECTION_ERROR: Unable to establish JMX connector to URI service:jmx:rmi:///jndi/rmi://192.168.223.20:2099/jmxrmi: error during JRMP connection establishment; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown [id:7513]
The CSR was generated with the FQDN as the CN.
I also completed the 'Generate CA-Signed Client Certificate for WSM' in case it was related.
The only steps not done were:
1) The Regedit steps as the installer apparently already took care of those. I confirmed the password matched the one int he properties file.
2) The note about importing cacerts into .keystore. I did a compare of the certs in each file and while there were a few in cacerts that were not in .keystore they were all external CAs and I couldn't see the relevance since I'm using an Internal CA.
Any advice would be appreciated.
-Jay
04-26-2022 07:03 AM
Hi Jay,
Did you get to fixing this issue?
I'm running into a similar issue, on a full deployment in lab.
Managed to secure JMX communication by implementing certificates signed by internal CA.
It started to go wrong when enabling com.sun.management.jmxremote.ssl.need.client.auth = true
I did create a client certificate with CN=<server hostname> (not FQDN) and added that to .keystore
I had this working on v11.6, but there are some changes: orm functionality seems to be replaced by WSM, although orm config files still seem to be around.
Hope you can shed some light here!
Rgds,
Koen
04-26-2022 08:44 AM
Nope. I've just left:
com.sun.managment.jmxremote.ssl.needds.client.auth = false
but I do the rest of the steps. That seems sufficient to appease the PCCE validations. Is it secure? I have no idea how to ensure that, but it seems enough to keep moving.
04-26-2022 01:12 PM
That's too bad!
The rest of the settings do make sure communication is encrypted, but does not prevent unwanted "visitors" to connect a JConsole and start messing with settings.
I'll play around some more and let you know if I come to a solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide