06-14-2012 01:27 AM - edited 03-01-2019 10:27 AM
We have a brandnew UCS and upgraded to 2.0(2r). Now we do have a problem with launching the UCSM and the KVM tool. The problem is not the https certificate (we installed a commercial one), this one works. but when launching the java web start tools, we get errors.
UCS Manager - Unknown Certificate
---------
Unable to authenticate the site certificate
Do you want to Accept or Reject...
It doesnt matter which platform we are using the UCSM (linux, windows (brandnew java6u33), mac). The problem seems to be the the java signing certificate.
Anyone can help?
-andreas
06-14-2012 06:53 AM
Andreas,
Is the error for UCSM jar file or https SSL certificate ?
Can you please share the screen shot of the error message and if there are any links for "more details", click on it and share the detailed error information.
Since you are thrid party certificate for https, is your client browser has necessary trust certifcates ?
Padma
06-14-2012 11:14 AM
hello padramas,
additional to the screenshot i want to add the following:
- i test now everything with osx 10.7 (since i use it as my primary workstation). if needed, then I can do tests on my windows virtual machine too.
- its the same error on all webbrowsers (after launching java webstart) and when starting from the commandline with javaws -> i assume its not the https site certificate causing the error
- just to be save i added the chain to the java keystore and checked with keytool -list
- the for signing used certificate form "Cisco Systems" is trusted (up to the root certificate from verisign)
- i dont know when the blue text "more details" vanished, but i know there was something about the "Cisco Systems" certificate
- in the java preferences i deactivated: "Enable online certificate validation" and "Check certificates for revocation..."
regards
-andreas
06-14-2012 02:04 PM
Humm,
after some more hours now and finding some more logfiles (centrale_*) logs, it seems like that java is not trusting the website certificate (even though i installed the chain in the keystore). I imported the hostcertificate into the keystore and now its working. is there a way to trust a chain in java keystore? So it clearly is the website certificate and not the java one. I am sorry for assuming this. The https website is providing the following ssl chain (openssl s_client connect output)
after some more digging and searching the ca keystore from java i found:
my certificate from the chain (certificate from comodo)
Owner: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Serial number: 484bacf1aac7d71343d1a27435499725
certificate from keystore
Owner: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Issuer: CN=UTN-USERFirst-Hardware, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, ST=UT, C=US
Serial number: 44be0c8b500024b411d3362afe650afd
2 certificates with the same CN but different serial numbers. could that be the problem? i added the certificate, the terena intermediate and the utn-userfirst intermediate to the keystore and it still doesnt work...
any ideas?
-andreas
06-17-2012 02:45 AM
Andreas,
We had an issue with older version of UCSM where java application was signed with certificate that was revoked by Verisign.
https://supportforums.cisco.com/thread/2124627?tstart=60
As you are running UCSM version 2.0.2r, it should not be an issue.
From screen shot, it looks like issue with SSL certiticate for https
SSH into Fabric Interconnect ( FI ) and provide following output
scope security
show keyring detail
Padma
06-18-2012 10:14 AM
06-18-2012 10:15 AM
as trustpoint i created a new one with the certificate chain.
-andreas
06-18-2012 10:34 AM
Andreas,
Do we still experience the problem ? If yes, what happens when we launch UCSM from Windows PC ?
I would suggest you to open TAC service request with above information and UCSM tech support bundle for further investigation.
UCSM client logs would also be helpful.
Windows XP: C:\Documents and Settings\Your User Name\Application Data\Sun\Java\Deployment\log\.ucsm
Windows 7: C:\Users[username]\AppData\LocalLow\Sun\Java\Deployment\log\.ucsm
Padma
06-18-2012 10:51 AM
hello padramas,
from windows (win xp + newest jre happens the same). maybe we should open a tac service request. thanks for your help.
regards
-andreas
07-31-2012 12:37 PM
Any updates on this issue from your TAC service request? We are running into the exact same issues.
07-31-2012 11:04 PM
Hello Seth,
Are you using self signed certificate or third party certificate ?
Please check the validity of the certificate by executing following commands
scope security
show keyring detail
Padma
08-03-2012 11:06 AM
we have never opened a tac request. we are in a large project right now and dont have the time to debug this issue. if you have a solution, please post it here.
which CA / sub authorities are you using?
regards
andreas
07-10-2013 08:36 AM
I had this problem as well. I fixed my issue by deleting the certificates in preferences - Java - Security - Manage Certificates. Then Relaunch the application and select Always trust connections to websites identified by this certificate (see screen shot).
Hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: