Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
31957
Views
10
Helpful
28
Replies

UCS Manager 2.0(1t): Failed to validate certificate. Certificate

Maurici Garcia
Level 1
Level 1

‎01-09-2012 04:18 AM - edited ‎03-01-2019 10:13 AM 

Hi,
I have 4 UCS B230M1 Blades 
and since update to 2.0(1) from 1.4(3q), I can't lauch UCS Manager, java throws the exception: "Certificate has been revoked"
It seems that the certificate used to sign the java code has been revoked, so this is a very important security exception.

How can I solve it?
Nowadays, if I want to run the ucs manager, I must to run the "java control pannel" and uncheck

  - Check certificates for revocation using CRLs
  - Enable Online certificate validation
Here you have the exception details: 
un.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:289)
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:263)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:173)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at sun.security.validator.Validator.validate(Validator.java:187)
    at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(TrustDecider.java:601)
    at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(AppPolicy.java:268)
    at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(LaunchDownload.java:1825)
    at com.sun.javaws.LaunchDownload.checkSignedResources(LaunchDownload.java:1508)
    at com.sun.javaws.Launcher.prepareResources(Launcher.java:1232)
    at com.sun.javaws.Launcher.prepareAllResources(Launcher.java:621)
    at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:327)
    at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:199)
    at com.sun.javaws.Launcher.launch(Launcher.java:116)
    at com.sun.javaws.Main.launchApp(Main.java:416)
    at com.sun.javaws.Main.continueInSecureThread(Main.java:248)
    at com.sun.javaws.Main$1.run(Main.java:110)
    at java.lang.Thread.run(Thread.java:662)
Caused by: java.security.cert.CertPathValidatorException: Certificate has been revoked
    at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
    at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:328)
    at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:275)
    ... 17 more


Thanks for your help.


2 people had this problem
0 Helpful
28 Replies 28

padramas
Cisco Employee
Cisco Employee

‎01-09-2012 04:39 AM

Hello Maurici,

What is OS and Java version do you have on the system from where you are trying to launch UCSM ?

Did you try launching UCSM from different system ?

Do you use third party certs or self-signed certs on FI ?

scope security

show keyring detail

Look out for Validity>  Not After  field.

Has it expired ?

Padma

0 Helpful

Maurici Garcia
Level 1
Level 1
In response to padramas

‎01-10-2012 12:50 AM

Hello padramas,

I have tried it with windows 7 and gnu/linux:

- Windows 7 java version =  "1.6.0_25"

- Gnu/Linux java version = "1.6.0_26"

I'm using "Keyring Default".

I have regenerated the default key ring (scope security ...), but this hasn't solved the problem.

After regenerating and cleaning certificates in my java runtime, the first time I lauch "ucs manager" it throws this warning:

But the problem hasn't been solved. The java application throws the exception "Certificate has been revoked"

The problem is with the certificate used to sign the code, not used for SSL connections to the UCS.

Thanks for your help.

0 Helpful

Saleem Roumaldaro
Level 1
Level 1
In response to Maurici Garcia

‎01-10-2012 08:07 AM

Hi My Name is saleem,

I have same issue with another customer , running version 1.4 , do you have the document to generate the certicate  ? let me know

Saleem

sroumaldaro@unislumin.com.

0 Helpful

padramas
Cisco Employee
Cisco Employee
In response to Saleem Roumaldaro

‎01-10-2012 08:50 AM

Saleem,

Steps to regenerate self-signed certificate are documented here

http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/cli/config/guide/2.0/b_UCSM_CLI_Configuration_Guide_2_0_chapter_0110.html#task_7052CA63F06F49D29F58D6BA1CF99993

Even though it is 2.0 doc, it  also applies for 1.4 version too.

Padma

0 Helpful

Saleem Roumaldaro
Level 1
Level 1
In response to padramas

‎01-10-2012 09:54 AM

Hi Padma,

Thanks , will certainly give it a try.

Saleem Roumaldaro

Service Consultant

Softchoice Corporation

Direct:905 847 6800 ext. 5334

Toll free: 888 436 5555

Fax: 905 847 6584

0 Helpful

padramas
Cisco Employee
Cisco Employee
In response to Maurici Garcia

‎01-10-2012 08:29 AM

Maurici,

Not sure why CRL verification and online verification are not enabled in my Java preferences by default ( Fedora 14 , Sun Java v6 U 24 ) or test machine W2K8 with Java v6 Update 30

If I enable it, UCSM fails to launch as the trust certs in the chain ( Verisign ) used by Cisco cert have been revoked.

http://www.verisign.com/repository/crl.html

I will check it out with the development team and will get back to you.

HTH

Padma

0 Helpful

padramas
Cisco Employee
Cisco Employee
In response to padramas

‎01-11-2012 09:02 AM

Maurici,

I have submitted following defect to further investigate this issue.

CSCtx30115

Could not launch UCSM Java exception Certification has been revoked

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx30115

It will take a while to get published.

HTH

Padma

0 Helpful

padramas
Cisco Employee
Cisco Employee
In response to padramas

‎01-18-2012 07:39 PM

Maurici,

With this defect, we have replaced the certificate used for signing the jars application.

Once it completes the testing, it would be integrated in next patch release.

Padma

0 Helpful

danjermyft
Level 1
Level 1
In response to padramas

‎01-19-2012 11:13 AM

Hi,

I've also been experiencing this issue using the UCS PE appliance, and have spent quite some time trying to resolve what seemed like a local certificate issue.  Can you confirm when the next release of that will be available with this patch?

Also, is there an easy/quicker way to work around this issue without having to redeploy the PE appliance?

The instructions to regenerate a self-signed certificate seem quite involved. Can you advise on the specific proceedure that is required? Is there a way to do this without having to submit to Verisign?

Finally, why would the certificate be revoked? Is the issue with Verisign or the certificates supplied with the PE appliance.

Many Thanks in advance for your help.

Dan

0 Helpful

padramas
Cisco Employee
Cisco Employee
In response to danjermyft

‎01-19-2012 06:56 PM

Dan,

The java application uses a Cisco certificate for which the public root certificate is provided by Verisign. The intermediate  trust certs ( which are Verisign certs ) in the chain has been revoked by Verisign.

http://www.verisign.com/repository/crl.html

As a resolution, we use a new certificate signed by Verisign where the trust certs are still valid.

If you are observing the same exact error message with UCSPE, you can disable Enable CRL verification configuration option in the Java settings on the client system.

Regeneration of the self-signed cert is not required as it is used for SSL ( https ) connectivity and not for the java application.

Hope I was able to clarify your concerns.

Padma

0 Helpful

danjermyft
Level 1
Level 1
In response to padramas

‎01-20-2012 04:38 AM

Many Thanks Padma,

However none of the workarounds suggested enable me to launch the Java App. I am using OSX Lion.

If I choose to disable the Java Preference "Enable online certificate validation" then I get "Cannot Validate Certificate".

If this preference is enabled then I get "Certificate has been revoked".  In both instances I have the Java Preference "Check certificates for revocation using Certificate Revocation Lists (CRLs)" disabled.

This behaviour does not change even if I change the setting in Keychain Access Preferences to turn CRL to 'Off'.

I attach the screenshots of this for your clarification:

I understand then that this is the fault of Verisign, but would really appreciate a way to overcome this on my machine. Please advise what can be done. Many Thanks.

Dan

0 Helpful

padramas
Cisco Employee
Cisco Employee
In response to danjermyft

‎01-20-2012 05:05 AM

Dan,

For OSX, please change both CRL and OCSP checking to off under Keychain>Preferences>Certificates and let us know the outcome.

Padma

0 Helpful

danjermyft
Level 1
Level 1
In response to padramas

‎01-20-2012 05:59 AM

Thanks for the suggestion, I tried that too with no success I'm afraid.

There doesn't seem to be any combination of settings to turn this off as far as I can see.

Any other ideas?

Dan

0 Helpful

padramas
Cisco Employee
Cisco Employee
In response to danjermyft

‎01-20-2012 06:34 AM

Dan,

What is the exact error message that you receive while trying to access UCS PE via web browser ?

Have tried from system running different OS ?

Padma

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Review Cisco Networking for a $25 gift card