cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1070
Views
0
Helpful
4
Replies

Collector WebGui - Connection Timed Out

don.click1
Level 4
Level 4

so, after correcting, i think, the certificate issues on our server, we are uanble to browse to it. No matter what browser we use, all of them come back with a "Timed out" type error. 

 

checking the status of services show we are UP, but no web interface. 

 

does anyone have anything that I can look at that may shed some light on this?  

4 Replies 4

antchris
Cisco Employee
Cisco Employee

Hi Don,

Thanks for reaching out. I will outline the steps necessary for successful completion of utilizing your own SSL cert/cert chain given that it is supported format.

 

1- Import your keystore in the CSPC keystore:

 

#/opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -importkeystore -srckeystore keystorefilename.p12 -srcstoretype pkcs12 -destkeystore $CSPCHOME/webui/tomcat/conf/cspcgxt -deststoretype jks

You will be prompted for the destination keystore password, use:cspcgxt

You will be prompted for your source keystore password, use: the password that corresponds to your keystore

 

Where the <keystorefilename.p12> is your keystore (the keystore to be imported to CSPC keystore) - you may have to include absolute path to .p12 file

Ex: #/opt/cisco/ss/adminshell/applications/CSPC/<keystorefilename.p12>

 

2 - Verify that your keystore has been imported to the CSPC cspcgxt keystore 

 

#/opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -list -v -keystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt

When prompted for the keystore password, use:cspcgxt

 

This will print the keystore details within the cspcgxt keystore. Note: you should see two aliases - 'tomcat' and 'your keystore name' OR either '1' where 'tomcat' is the default CSPC alias and either 'your keystore name' OR '1' is your newly imported keystore

 

3 - You will need to delete the default 'tomcat' alias and then rename alias 'your keystore name' OR '1' (whichever of the two apply) to tomcat 

 

To delete:

#/opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -delete -alias tomcat -keystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt

You will be prompted for the cspcgxt keystore password:cspcgxt

 

Check cspcgxt keystore contents:

#/opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -list -v -keystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt

 

Rename alias to 'tomcat':

#/opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -changealias -alias aliasname -destalias tomcat -keystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt

When prompted for the keystore password, use:cspcgxt

Where 'aliasname' is again either the name of 'your keystore name' OR '1'

Ex: #/opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -changealias -alias 1 -destalias tomcat -keystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt

 

Check again to confirm changes:

#/opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -list -v -keystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt

 

4 - The newly renamed tomcat alias must use cspcgxt as the password - this will match the cspcgxt keystore password

 

#/opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -keypasswd -alias tomcat -new cspcgxt -keystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt

 

5 - Once the steps above have been successfully completed, perform a service restart

#service cspc restart

 

6 - Clear browser cache and close browser. At this point if all has gone as outlined, you should be able to load the CSPC WebUI and see your corresponding cert details via your browser. 

Let me/us know how it goes and confirm if the solution provided worked. I hope this helps!

-Anthony

 

thanks for the reply. 

 

l did verify the alias was renamed to tomcat, but i am still haivng the same problem. 

 

I have only the 1 cert listed in the keystore. and the only error i see is actually the same warning you have about the format.

 

after i restarted the services, I did another check, as you show, and I see no errors

i have ran through this process a few times, thinking maybe i missed a step. 

 

I have verified that i have certfiicate setup, and in the correct keystore, and with the correct alias - as far as I can tell - 

1. Still seeing the JKS warnings - not sure if this is normal.

2. After restarting the services, I cannot browse the page - I get "Page cannot be loaded" (Errtimeout).  

3. i have veirifed the IP address on the host. 

 

Here is what I get when I run the command to show the keystore:

 

 

[root@ciscocspc collectorlogin]# /opt/cisco/ss/adminshell/applications/CSPC/jreinstall/bin/keytool -list -v -keystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt
Enter keystore password:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat
Creation date: Aug 3, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=information@dentoncounty.gov, CN=ciscocspc.dentoncounty.gov, OU=Department of Technology Services, O=Denton County, L=Denton, ST=Texas, C=US
Issuer: EMAILADDRESS=information@dentoncounty.gov, CN=ciscocspc.dentoncounty.gov, OU=Department of Technology Services, O=Denton County, L=Denton, ST=Texas, C=US
Serial number: d569fbd769d648d2
Valid from: Thu Jul 09 07:35:22 CDT 2020 until: Sun Nov 21 06:35:22 CST 2021
Certificate fingerprints:
MD5: 10:D6:44:58:31:7B:1E:C4:29:66:0A:B8:0F:7A:9F:7A
SHA1: E3:28:BC:6E:4F:25:2A:64:80:4F:0B:6C:B9:5F:82:A3:8A:26:84:A8
SHA256: 3A:EC:D9:2B:42:08:80:EC:10:54:55:E7:AA:60:CB:C2:C3:4D:CE:64:62:FB:3A:F7:F9:48:49:A6:BB:F5:41:3A
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 1


*******************************************
*******************************************

 

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt -destkeystore /opt/cisco/ss/adminshell/applications/CSPC/webui/tomcat/conf/cspcgxt -deststoretype pkcs12".

i am frustrated that we cant get support from TAC for a product released and maintained by Cisco.

 

I have had this same issue for over 3 months. I got maybe 2 replies, and they both refer back to the document I used. 

Our issue is we can no longer load the web interface. period.  The services show the site is running, yet when we navigate this IP, we constantly get page not found. 

 

This started after "attempting" to follow the documentation and replace the self signed certificate with a "real" certificate.

 

I welcome ANY suggestions at this point.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: