cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
30467
Views
10
Helpful
28
Replies

UCS Manager 2.0(1t): Failed to validate certificate. Certificate

Maurici Garcia
Level 1
Level 1

Hi,

I have 4 UCS B230M1 Blades and since update to 2.0(1) from 1.4(3q), I can't lauch UCS Manager, java throws the exception: "Certificate has been revoked"

It seems that the certificate used to sign the java code has been revoked, so this is a very important security exception.

How can I solve it?

Nowadays, if I want to run the ucs manager, I must to run the "java control pannel" and uncheck

  - Check certificates for revocation using CRLs

  - Enable Online certificate validation

Here you have the exception details:

un.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked

    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:289)

    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:263)

    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:173)

    at sun.security.validator.Validator.validate(Validator.java:218)

    at sun.security.validator.Validator.validate(Validator.java:187)

    at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(TrustDecider.java:601)

    at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(AppPolicy.java:268)

    at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(LaunchDownload.java:1825)

    at com.sun.javaws.LaunchDownload.checkSignedResources(LaunchDownload.java:1508)

    at com.sun.javaws.Launcher.prepareResources(Launcher.java:1232)

    at com.sun.javaws.Launcher.prepareAllResources(Launcher.java:621)

    at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:327)

    at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:199)

    at com.sun.javaws.Launcher.launch(Launcher.java:116)

    at com.sun.javaws.Main.launchApp(Main.java:416)

    at com.sun.javaws.Main.continueInSecureThread(Main.java:248)

    at com.sun.javaws.Main$1.run(Main.java:110)

    at java.lang.Thread.run(Thread.java:662)

Caused by: java.security.cert.CertPathValidatorException: Certificate has been revoked

    at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)

    at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:328)

    at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)

    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)

    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:275)

    ... 17 more



Thanks for your help.


28 Replies 28

padramas
Cisco Employee
Cisco Employee

Hello Maurici,

What is OS and Java version do you have on the system from where you are trying to launch UCSM ?

Did you try launching UCSM from different system ?

Do you use third party certs or self-signed certs on FI ?

scope security

show keyring detail

Look out for Validity>  Not After  field.

Has it expired ?

Padma

Hello padramas,

I have tried it with windows 7 and gnu/linux:

- Windows 7 java version =  "1.6.0_25"

- Gnu/Linux java version = "1.6.0_26"

I'm using "Keyring Default".

I have regenerated the default key ring (scope security ...), but this hasn't solved the problem.

After regenerating and cleaning certificates in my java runtime, the first time I lauch "ucs manager" it throws this warning:

But the problem hasn't been solved. The java application throws the exception "Certificate has been revoked"

The problem is with the certificate used to sign the code, not used for SSL connections to the UCS.

Thanks for your help.

Hi My Name is saleem,

I have same issue with another customer , running version 1.4 , do you have the document to generate the certicate  ? let me know

Saleem

sroumaldaro@unislumin.com.

Saleem,

Steps to regenerate self-signed certificate are documented here

http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/cli/config/guide/2.0/b_UCSM_CLI_Configuration_Guide_2_0_chapter_0110.html#task_7052CA63F06F49D29F58D6BA1CF99993

Even though it is 2.0 doc, it  also applies for 1.4 version too.

Padma

Hi Padma,

Thanks , will certainly give it a try.

Saleem Roumaldaro

Service Consultant

Softchoice Corporation

Direct:905 847 6800 ext. 5334

Toll free: 888 436 5555

Fax: 905 847 6584

Maurici,

Not sure why CRL verification and online verification are not enabled in my Java preferences by default ( Fedora 14 , Sun Java v6 U 24 ) or test machine W2K8 with Java v6 Update 30

If I enable it, UCSM fails to launch as the trust certs in the chain ( Verisign ) used by Cisco cert have been revoked.

http://www.verisign.com/repository/crl.html

I will check it out with the development team and will get back to you.

HTH

Padma

Maurici,

I have submitted following defect to further investigate this issue.

CSCtx30115

Could not launch UCSM Java exception Certification has been revoked

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx30115

It will take a while to get published.

HTH

Padma

Maurici,

With this defect, we have replaced the certificate used for signing the jars application.

Once it completes the testing, it would be integrated in next patch release.

Padma

Hi,

I've also been experiencing this issue using the UCS PE appliance, and have spent quite some time trying to resolve what seemed like a local certificate issue.  Can you confirm when the next release of that will be available with this patch?

Also, is there an easy/quicker way to work around this issue without having to redeploy the PE appliance?

The instructions to regenerate a self-signed certificate seem quite involved. Can you advise on the specific proceedure that is required? Is there a way to do this without having to submit to Verisign?

Finally, why would the certificate be revoked? Is the issue with Verisign or the certificates supplied with the PE appliance.

Many Thanks in advance for your help.

Dan

Dan,

The java application uses a Cisco certificate for which the public root certificate is provided by Verisign. The intermediate  trust certs ( which are Verisign certs ) in the chain has been revoked by Verisign.

http://www.verisign.com/repository/crl.html

As a resolution, we use a new certificate signed by Verisign where the trust certs are still valid.

If you are observing the same exact error message with UCSPE, you can disable Enable CRL verification configuration option in the Java settings on the client system.

Regeneration of the self-signed cert is not required as it is used for SSL ( https ) connectivity and not for the java application.

Hope I was able to clarify your concerns.

Padma

Many Thanks Padma,

However none of the workarounds suggested enable me to launch the Java App. I am using OSX Lion.

If I choose to disable the Java Preference "Enable online certificate validation" then I get "Cannot Validate Certificate".

If this preference is enabled then I get "Certificate has been revoked".  In both instances I have the Java Preference "Check certificates for revocation using Certificate Revocation Lists (CRLs)" disabled.

This behaviour does not change even if I change the setting in Keychain Access Preferences to turn CRL to 'Off'.

I attach the screenshots of this for your clarification:

I understand then that this is the fault of Verisign, but would really appreciate a way to overcome this on my machine. Please advise what can be done. Many Thanks.

Dan

Dan,

For OSX, please change both CRL and OCSP checking to off under Keychain>Preferences>Certificates and let us know the outcome.

Padma

Thanks for the suggestion, I tried that too with no success I'm afraid.

There doesn't seem to be any combination of settings to turn this off as far as I can see.

Any other ideas?

Dan

Dan,

What is the exact error message that you receive while trying to access UCS PE via web browser ?

Have tried from system running different OS ?

Padma

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: