SDM connection to PAM is lost after restart
search cancel

SDM connection to PAM is lost after restart

book

Article ID: 186632

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Management - Service Desk Manager ServiceDesk

Issue/Introduction

After SDM Services are restarted (either for planned maintenance, or from unplanned outages), we receive the following error message when attempting to connect to PAM Workflows: 

"There is a problem accessing CA IT PAM Workflow - please try again or contact the administrator. Details: ; nested exception is: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)"

This seems to happen even after following approaches documented in Enabling SDM to ITPAM Communications When ITPAM is SSL Enabled

Environment

Service Desk Manager v17.2 and higher

Cause

For some unknown reasons, the keystore access/contents seem to be getting mixed up

Resolution

  1. Backup NX.env,  pdmconf/NX.env_NT.tpl,   pdmconf/NX.keystore, site/client_NX.env

  2. Delete @NX_KEYSTORE_REF entry from NX.env,   NX.env_NT.tpl   client_NX.env

  3. Delete pdmconf/NX.keystore file, Restart Service Desk,  now SDM ->  PAM Integration fails with SSL missing certificate error

  4. Opened a command prompt to execute these  commands:
    This command shows the 8.3 notation of SDM installation folder.
    type c:\windows\paradigm.ini

    Example result:
    C:\Users\Administrator>type c:\windows\paradigm.ini
    [PARADIGM]
    NX_ROOT=C:/PROGRA~2/CA/SERVIC~1
    NX_LOCAL=C:/PROGRA~2/CA/SERVIC~1

    NX_OS_TYPE=WINNT
    [Product]
    type=CA Service Desk Manager
    version=17.0.0.228
    C:\Users\Administrator>
    This next command shows the location of JRE that SDM is using so that we can navigate to that directory.
    nx_env | findstr /i JRE

    Example result:
    C:\Users\Administrator>nx_env | findstr /i JRE
    NX_JRE_INSTALL_DIR=C:/Program Files (x86)/CA/SC/JRE/11.0.18
    NX_JDBC_DRIVER_CLASSPATH=C:/PROGRA~2/CA/SERVIC~1/java/lib/mssql-jdbc-7.2.2.jre8.jar;C:/PROGRA~2/CA/SERVIC~1/java/lib/ojdbc8.jar

    This next command navigate the current working directory to the bin folder within the JRE installed with Service Desk:

    cd "C:/Progra~2\CA\SC\JRE\11.0.18\bin"

    Example result:
    C:\Users\Administrator>cd C:/Progra~2/CA/SC/JRE/11.0.18\bin

    C:\Program Files (x86)\CA\SC\JRE\11.0.18\bin>
  5. Import the ITPAM certificates into a new keystore  (below steps indicate a PAM server's SSL cert called capamtest.cer  which was issued by  capamtestissuing.cer, which was further from a root CA capamtestroot.cer)
    keytool -importcert -file c:\progra~1\CA\servic~1\pdmconf\capamtest.cer -keystore ..\lib\security\cacerts -storepass changeit -alias capam

    keytool -importcert -file c:\progra~1\CA\servic~1\pdmconf\capamtestissuing.cer -trustcacerts -keystore ..\lib\security\cacerts -storepass changeit -alias pam-issuing

    keytool -importcert -file c:\progra~1\CA\servic~1\pdmconf\capamtestroot.cer -trustcacerts -keystore ..\lib\security\cacerts -storepass changeit -alias pam-root
  6. ON PRIMARY SERVER:
    In Windows, copy the resulting "cacerts" file from the previous step to C:/Program Files/CA/SC/JRE/11.0.1/lib/security/

  7. ON SECONDARY SERVERS:
    Navigate to C:/Program Files/CA/SC/JRE/11.0.1/lib/security/ and replace the cacerts file with the file in step 5 above

  8. Restart Service Desk.

If JRE is to be upgraded in future, the certs need to be imported again into that JRE.

Additional Information

This article explains how to configure SDM to work with an ITPAM installation where SSL is enabled  Enabling SDM to ITPAM Communications When ITPAM is SSL Enabled

Powered by Wolken Software