07-10-2020 06:35 AM
so, after correcting, i think, the certificate issues on our server, we are uanble to browse to it. No matter what browser we use, all of them come back with a "Timed out" type error.
checking the status of services show we are UP, but no web interface.
does anyone have anything that I can look at that may shed some light on this?
07-10-2020 09:39 AM - edited 07-10-2020 09:56 AM
Hi Don,
Thanks for reaching out. I will outline the steps necessary for successful completion of utilizing your own SSL cert/cert chain given that it is supported format.
1- Import your keystore in the CSPC keystore:
#/opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -importkeystore -srckeystore keystorefilename.p12 -srcstoretype pkcs12 -destkeystore $CSPCHOME/webui/tomcat/conf/cspcgxt -deststoretype jks
You will be prompted for the destination keystore password, use:cspcgxt
You will be prompted for your source keystore password, use: the password that corresponds to your keystore
Where the <keystorefilename.p12> is your keystore (the keystore to be imported to CSPC keystore) - you may have to include absolute path to .p12 file
Ex: #/opt/cisco/ss/adminshell/applications/CSPC/<keystorefilename.p12>
2 - Verify that your keystore has been imported to the CSPC cspcgxt keystore
#/opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -list -v -keystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt
When prompted for the keystore password, use:cspcgxt
This will print the keystore details within the cspcgxt keystore. Note: you should see two aliases - 'tomcat' and 'your keystore name' OR either '1' where 'tomcat' is the default CSPC alias and either 'your keystore name' OR '1' is your newly imported keystore
3 - You will need to delete the default 'tomcat' alias and then rename alias 'your keystore name' OR '1' (whichever of the two apply) to tomcat
To delete:
#/opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -delete -alias tomcat -keystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt
You will be prompted for the cspcgxt keystore password:cspcgxt
Check cspcgxt keystore contents:
#/opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -list -v -keystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt
Rename alias to 'tomcat':
#/opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -changealias -alias aliasname -destalias tomcat -keystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt
When prompted for the keystore password, use:cspcgxt
Where 'aliasname' is again either the name of 'your keystore name' OR '1'
Ex: #/opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -changealias -alias 1 -destalias tomcat -keystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt
Check again to confirm changes:
#/opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -list -v -keystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt
4 - The newly renamed tomcat alias must use cspcgxt as the password - this will match the cspcgxt keystore password
#/opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -keypasswd -alias tomcat -new cspcgxt -keystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt
5 - Once the steps above have been successfully completed, perform a service restart
#service cspc restart
6 - Clear browser cache and close browser. At this point if all has gone as outlined, you should be able to load the CSPC WebUI and see your corresponding cert details via your browser.
Let me/us know how it goes and confirm if the solution provided worked. I hope this helps!
-Anthony
07-10-2020 10:50 AM
thanks for the reply.
l did verify the alias was renamed to tomcat, but i am still haivng the same problem.
I have only the 1 cert listed in the keystore. and the only error i see is actually the same warning you have about the format.
after i restarted the services, I did another check, as you show, and I see no errors
08-03-2020 08:18 AM
i have ran through this process a few times, thinking maybe i missed a step.
I have verified that i have certfiicate setup, and in the correct keystore, and with the correct alias - as far as I can tell -
1. Still seeing the JKS warnings - not sure if this is normal.
2. After restarting the services, I cannot browse the page - I get "Page cannot be loaded" (Errtimeout).
3. i have veirifed the IP address on the host.
Here is what I get when I run the command to show the keystore:
[root@ciscocspc collectorlogin]# /opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -list -v -keystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt
Enter keystore password:
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: tomcat
Creation date: Aug 3, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=information@dentoncounty.gov, CN=ciscocspc.dentoncounty.gov, OU=Department of Technology Services, O=Denton County, L=Denton, ST=Texas, C=US
Issuer: EMAILADDRESS=information@dentoncounty.gov, CN=ciscocspc.dentoncounty.gov, OU=Department of Technology Services, O=Denton County, L=Denton, ST=Texas, C=US
Serial number: d569fbd769d648d2
Valid from: Thu Jul 09 07:35:22 CDT 2020 until: Sun Nov 21 06:35:22 CST 2021
Certificate fingerprints:
MD5: 10:D6:44:58:31:7B:1E:C4:29:66:0A:B8:0F:7A:9F:7A
SHA1: E3:28:BC:6E:4F:25:2A:64:80:4F:0B:6C:B9:5F:82:A3:8A:26:84:A8
SHA256: 3A:EC:D9:2B:42:08:80:EC:10:54:55:E7:AA:60:CB:C2:C3:4D:CE:64:62:FB:3A:F7:F9:48:49:A6:BB:F5:41:3A
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1
*******************************************
*******************************************
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt -destkeystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt -deststoretype pkcs12".
08-18-2020 01:42 PM
i am frustrated that we cant get support from TAC for a product released and maintained by Cisco.
I have had this same issue for over 3 months. I got maybe 2 replies, and they both refer back to the document I used.
Our issue is we can no longer load the web interface. period. The services show the site is running, yet when we navigate this IP, we constantly get page not found.
This started after "attempting" to follow the documentation and replace the self signed certificate with a "real" certificate.
I welcome ANY suggestions at this point.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide