I have 4 UCS B230M1 Blades and since update to 2.0(1) from 1.4(3q), I can't lauch UCS Manager, java throws the exception: "Certificate has been revoked"It seems that the certificate used to sign the java code has been revoked, so this is a very important security exception.
How can I solve it?Nowadays, if I want to run the ucs manager, I must to run the "java control pannel" and uncheck
- Check certificates for revocation using CRLs
- Enable Online certificate validationHere you have the exception details:
un.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked
Caused by: java.security.cert.CertPathValidatorException: Certificate has been revoked
... 17 more
Thanks for your help.
What is OS and Java version do you have on the system from where you are trying to launch UCSM ?
Did you try launching UCSM from different system ?
Do you use third party certs or self-signed certs on FI ?
show keyring detail
Look out for Validity> Not After field.
Has it expired ?
I have tried it with windows 7 and gnu/linux:
- Windows 7 java version = "1.6.0_25"
- Gnu/Linux java version = "1.6.0_26"
I'm using "Keyring Default".
I have regenerated the default key ring (scope security ...), but this hasn't solved the problem.
After regenerating and cleaning certificates in my java runtime, the first time I lauch "ucs manager" it throws this warning:
But the problem hasn't been solved. The java application throws the exception "Certificate has been revoked"
The problem is with the certificate used to sign the code, not used for SSL connections to the UCS.
Thanks for your help.
Hi My Name is saleem,
I have same issue with another customer , running version 1.4 , do you have the document to generate the certicate ? let me know
Steps to regenerate self-signed certificate are documented here
Even though it is 2.0 doc, it also applies for 1.4 version too.
Thanks , will certainly give it a try.
Direct:905 847 6800 ext. 5334
Toll free: 888 436 5555
Fax: 905 847 6584
Not sure why CRL verification and online verification are not enabled in my Java preferences by default ( Fedora 14 , Sun Java v6 U 24 ) or test machine W2K8 with Java v6 Update 30
If I enable it, UCSM fails to launch as the trust certs in the chain ( Verisign ) used by Cisco cert have been revoked.
I will check it out with the development team and will get back to you.
I have submitted following defect to further investigate this issue.
Could not launch UCSM Java exception Certification has been revoked
It will take a while to get published.
With this defect, we have replaced the certificate used for signing the jars application.
Once it completes the testing, it would be integrated in next patch release.
I've also been experiencing this issue using the UCS PE appliance, and have spent quite some time trying to resolve what seemed like a local certificate issue. Can you confirm when the next release of that will be available with this patch?
Also, is there an easy/quicker way to work around this issue without having to redeploy the PE appliance?
The instructions to regenerate a self-signed certificate seem quite involved. Can you advise on the specific proceedure that is required? Is there a way to do this without having to submit to Verisign?
Finally, why would the certificate be revoked? Is the issue with Verisign or the certificates supplied with the PE appliance.
Many Thanks in advance for your help.
The java application uses a Cisco certificate for which the public root certificate is provided by Verisign. The intermediate trust certs ( which are Verisign certs ) in the chain has been revoked by Verisign.
As a resolution, we use a new certificate signed by Verisign where the trust certs are still valid.
If you are observing the same exact error message with UCSPE, you can disable Enable CRL verification configuration option in the Java settings on the client system.
Regeneration of the self-signed cert is not required as it is used for SSL ( https ) connectivity and not for the java application.
Hope I was able to clarify your concerns.
Many Thanks Padma,
However none of the workarounds suggested enable me to launch the Java App. I am using OSX Lion.
If I choose to disable the Java Preference "Enable online certificate validation" then I get "Cannot Validate Certificate".
If this preference is enabled then I get "Certificate has been revoked". In both instances I have the Java Preference "Check certificates for revocation using Certificate Revocation Lists (CRLs)" disabled.
This behaviour does not change even if I change the setting in Keychain Access Preferences to turn CRL to 'Off'.
I attach the screenshots of this for your clarification:
I understand then that this is the fault of Verisign, but would really appreciate a way to overcome this on my machine. Please advise what can be done. Many Thanks.
For OSX, please change both CRL and OCSP checking to off under Keychain>Preferences>Certificates and let us know the outcome.
Thanks for the suggestion, I tried that too with no success I'm afraid.
There doesn't seem to be any combination of settings to turn this off as far as I can see.
Any other ideas?
What is the exact error message that you receive while trying to access UCS PE via web browser ?
Have tried from system running different OS ?