CA WA Agent: FTPS (FTP over SSL) java.security.cert.CertificateException: signature verification failed

book

Article ID: 130253

calendar_today

Updated On:

Products

DSERIES- SERVER CA Workload Automation DE - System Agent (dSeries)

Issue/Introduction

When executing an FTPS (FTP over SSL) job on CA WA Agent, the agent gets this error:
 
234 AUTH command ok. Expecting TLS Negotiation.
Certificate [1] issuer: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA .......
java.security.cert.CertificateException: signature verification failed - 
Certificate issuer: CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, 
L=xxxxxx, ST=Greater Manchester, C=GB is not in the client keystore.

Cause

The CA WA Agent does not recognize the certificate presented by the FTPS server.  The certificate needs to be added to the WA Agent's client keystore.

Environment

CA WA Agent 11.3 / 11.4
OS: Any

Resolution

The CA WA Agent can add the certificates that are not in the keystore.  In the agentparm.txt add this and restart the agent.
ftp.client.ssl.accept_new_ca=true

Additional Information

Note: The above setting will allow the WA Agent to add any new certificates it gets.  The above setting may be temporarily set to allow the agent to add the certificate from known hosts.  It can then be turned off or set to 'false', once all the required certificates have been added.