hello padramas,

additional to the screenshot i want to add the following:

- i test now everything with osx 10.7 (since i use it as my primary workstation). if needed, then I can do tests on my windows virtual machine too.

- its the same error on all webbrowsers (after launching java webstart) and when starting from the commandline with javaws -> i assume its not the https site certificate causing the error

- just to be save i added the chain to the java keystore and checked with keytool -list

- the for signing used certificate form "Cisco Systems" is trusted (up to the root certificate from verisign)

- i dont know when the blue text "more details" vanished, but i know there was something about the "Cisco Systems" certificate

- in the java preferences i deactivated: "Enable online certificate validation" and "Check certificates for revocation..."

regards

-andreas

Humm,

after some more hours now and finding some more logfiles (centrale_*) logs, it seems like that java is not trusting the website certificate (even though i installed the chain in the keystore). I imported the hostcertificate into the keystore and now its working. is there a way to trust a chain in java keystore? So it clearly is the website certificate and not the java one.  I am sorry for assuming this. The https website is providing the following ssl chain (openssl s_client connect output)

after some more digging and searching the ca keystore from java i found:

my certificate from the chain (certificate from comodo)

Owner: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

Serial number: 484bacf1aac7d71343d1a27435499725

certificate from keystore

Owner: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US

Serial number: 44be0c8b500024b411d3362afe650afd

2 certificates with the same CN but different serial numbers. could that be the problem? i added the certificate, the terena intermediate and the utn-userfirst intermediate to the keystore and it still doesnt work...

any ideas?

-andreas

Andreas,

We had an issue with older version of UCSM where java application was signed with certificate that was revoked by Verisign.

https://supportforums.cisco.com/thread/2124627?tstart=60

As you are running UCSM version 2.0.2r, it should not be an issue.

From screen shot, it looks like issue with SSL certiticate for https

SSH into Fabric Interconnect ( FI ) and provide following output

scope security

show keyring detail

Padma

uploaded as attachment

-andreas

as trustpoint i created a new one with the certificate chain.

-andreas

Andreas,

Do we still experience the problem ? If yes, what happens when we launch UCSM from Windows PC ?

I would suggest you to open TAC service request with above information and UCSM tech support bundle for further investigation.

UCSM client logs would also be helpful.

Windows XP: C:\Documents and Settings\Your User Name\Application Data\Sun\Java\Deployment\log\.ucsm

Windows 7:  C:\Users[username]\AppData\LocalLow\Sun\Java\Deployment\log\.ucsm

Padma

hello padramas,

from windows (win xp + newest jre happens the same). maybe we should open a tac service request. thanks for your help.

regards

-andreas

Any updates on this issue from your TAC service request? We are running into the exact same issues.

Hello Seth,

Are you using self signed certificate or third party certificate ?

Please check the validity of the certificate by executing following commands

scope security

show keyring detail

Padma

we have never opened a tac request. we are in a large project right now and dont have the time to debug this issue. if you have a solution, please post it here.

which CA / sub authorities are you using?

regards

andreas