OneClick SSL webpage is not displayed

book

Article ID: 143250

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

OneClick configured for SSL displays an error message (this website cannot be reached). I have uncommented the connector section in the server.xml located under $SPECROOT/tomcat/conf (connector section) and restarted tomcat. 

Cause

Check tomcat log for the following error:

SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
 org.apache.catalina.LifecycleException: Protocol handler initialization failed
      at org.apache.catalina.connector.Connector.initInternal(Connector.java:979)
      at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
      at org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
      at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
      at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1060)
      at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
      at org.apache.catalina.startup.Catalina.load(Catalina.java:588)
      at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Alias name [null] does not identify a key entry

The certificate imported is using the wrong key entry for the tomcatssl alias. 

The keystore is missing private key and the certificate imported is a trustedCertEntry instead of PrivateKeyEntry 

To verify this run the keytool command and list the certificates:

keytool -list -v -keystore mykeystore.jks -alias tomcat
Enter keystore password:
Alias name: tomcat
Creation date: December 22, 2019
Entry type: trustedCertEntry

Ensure the certificates are imported as PrivateKeyEntry and not a trustedCertEntry 

 

Here an example of the expected entries:

$ keytool -v -list -keystore ../../custom/keystore/cacerts -alias tomcatssl
Enter keystore password:
Alias name: tomcatssl
Creation date: Aug 6, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 3

Note:
No 'Certificate chain length' means that the required intermediate certificates are not imported
'Entry type' is 'trustedCertEntry' means that the Private key is not added to the certificate.

Environment

Release: 10.4.x

Component : Spectrum OneClick

Resolution

Depending on the Certificate Authority from which you obtained the signed certificate, you also need to import the intermediate certificate.

Your certificate must be imported last.

Here an example:

./keytool -import -alias root -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file root_chain_certificate_filename

./keytool -import -alias intermediate -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file intermediate_certificate_filename

./keytool -import -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file your_certificate_filename

Additional Information

If the alias being used is not tomcat or tomcatssl add the following parameters to the server.xml:

 <Connector
           port="8443"
           enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true"
           acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
           clientAuth="false" sslProtocol="TLS"
           sslEnabledProtocols="TLSv1.2"
           ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
                    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
                    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
                    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
                    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
           keystoreFile="C:/win32app/Spectrum/custom/keystore/cacerts"
           keystorePass="changeit"
           keyAlias="<alias-name>" keyPass="<password>">
     </Connector>