Created an empty keystore and generated a certificate request which is used to generate a new certificate.

Imported the certificate to the keystore and replace <WCC>\data\config\.keystore with the new keystore.

After WCC is restarted, user could not get the WCC login page.

The following error was observed in CA-wcc.log:

INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 | Caused by: java.lang.IllegalArgumentException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 |  at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116)
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 |  at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87)
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 |  at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 |  at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1082)
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 |  at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:267)
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 |  at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 |  at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 |  at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 |  ... 19 more
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 | Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 |  at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 |  at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 |  at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 |  at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:385)
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 |  at org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:309)
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 |  at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
INFO   | jvm 1    | 2020/01/02 09:38:57 |        2 |  ... 26 more

Release : 11.3.6

Component : WORKLOAD CONTROL CENTER

A certificate with alias legacyagents was removed from the original keystore.

The following commands are used to export/import certificate from/into keystore

to export:

keytool -export -alias -file -keystore

to import:

keytool -import -alias -file -keystore

Whenever you change any Keystore make sure that "legecyagents" alias certificate should present in WCC Keystore file (.keystore)

The procedure to request and use a certificate from a Trusted Certificate Authority, is documentated at the following URL:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/intelligent-automation/workload-automation-ae-and-workload-control-center/11-3-6-SP4/installing/ca-wcc-implementation/customizing-secure-access-to-ca-wcc.html#concept.dita_0a8d614752e8ba6e83c98a178362ce1ed0b10bcc_HowtoRequestandUseaCertificateFromaTrustedCertificateAuthority