When SDM restarts, connection to PAM is lost and Keystore must be recreated.
Article ID: 186632
Updated On:
Products
CA Service Desk Manager
SUPPORT AUTOMATION- SERVER
CA Service Desk Manager - Unified Self Service
CA Service Desk Manager - Mobile Application
CA Service Desk Manager - Xtraction
Issue/Introduction
After SDM Services are restarted (either for planned maintenance, or from unplanned outages), we receive the following error message when attempting to connect to PAM Workflows:
"There is a problem accessing CA IT PAM Workflow - please try again or contact the administrator. Details: ; nested exception is: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)"
This seems to happen even after following approaches documented in https://knowledge.broadcom.com/external/article?articleId=9538
Environment
Release : 17.2
Component : SERVICE DESK MANAGER
Cause
For some unknown reasons, the keystore access/contents seem to be getting mixed up
Resolution
1) Backup NX.env, pdmconf/NX.env_NT.tpl pdmconf/NX.keystore site/client_NX.env
2) Delete @NX_KEYSTORE_REF entry from NX.env, NX.env_NT.tpl client_NX.env
3) Delete pdmconf/NX.keystore file, Restart Service Desk, now SDM -> PAM Integration fails with SSL missing certificate error
4) Opened a command prompt to type:
5)
REM this shows the 8.3 notation of SDM install folder. example: d:\progra~1\CA\servic~1
type c:\windows\paradigm.ini
6)
REM This shows the location of JRE that SDM is using, we need to place our command prompt in that folder.
nx_env | findstr /i JRE
7)
REM Change directory now
cd "D:/Progra~1/CA/SC/JRE/11.0.1/bin"
D:
java -version
8) Import the certificates (below steps indicate a PAM server's SSL cert called capamtest.cer which was issued by capamtestissuing.cer, which was further from a root CA capamtestroot.cer)
keytool -importcert -file d:\progra~1\CA\servic~1\pdmconf\capamtest.cer -keystore ..\lib\security\cacerts -storepass changeit -alias capam
keytool -importcert -file d:\progra~1\CA\servic~1\pdmconf\capamtestissuing.cer -trustcacerts -keystore ..\lib\security\cacerts -storepass changeit -alias pam-issuing
keytool -importcert -file d:\progra~1\CA\servic~1\pdmconf\capamtestroot.cer -trustcacerts -keystore ..\lib\security\cacerts -storepass changeit -alias pam-root
9) ON PRIMARY SERVER:
In Windows, navigate to D:/Program Files/CA/SC/JRE/11.0.1/lib/security/ and copy the cacerts file.
10) ON SECONDARY SERVERS:
Navigate to D:/Program Files/CA/SC/JRE/11.0.1/lib/security/ and replace the cacerts file with the file in step 9 above
11) Restart Service Desk.
If JRE were to be upgraded in future, the certs needed to be imported again into that JRE.
2) Delete @NX_KEYSTORE_REF entry from NX.env, NX.env_NT.tpl client_NX.env
3) Delete pdmconf/NX.keystore file, Restart Service Desk, now SDM -> PAM Integration fails with SSL missing certificate error
4) Opened a command prompt to type:
5)
REM this shows the 8.3 notation of SDM install folder. example: d:\progra~1\CA\servic~1
type c:\windows\paradigm.ini
6)
REM This shows the location of JRE that SDM is using, we need to place our command prompt in that folder.
nx_env | findstr /i JRE
7)
REM Change directory now
cd "D:/Progra~1/CA/SC/JRE/11.0.1/bin"
D:
java -version
8) Import the certificates (below steps indicate a PAM server's SSL cert called capamtest.cer which was issued by capamtestissuing.cer, which was further from a root CA capamtestroot.cer)
keytool -importcert -file d:\progra~1\CA\servic~1\pdmconf\capamtest.cer -keystore ..\lib\security\cacerts -storepass changeit -alias capam
keytool -importcert -file d:\progra~1\CA\servic~1\pdmconf\capamtestissuing.cer -trustcacerts -keystore ..\lib\security\cacerts -storepass changeit -alias pam-issuing
keytool -importcert -file d:\progra~1\CA\servic~1\pdmconf\capamtestroot.cer -trustcacerts -keystore ..\lib\security\cacerts -storepass changeit -alias pam-root
9) ON PRIMARY SERVER:
In Windows, navigate to D:/Program Files/CA/SC/JRE/11.0.1/lib/security/ and copy the cacerts file.
10) ON SECONDARY SERVERS:
Navigate to D:/Program Files/CA/SC/JRE/11.0.1/lib/security/ and replace the cacerts file with the file in step 9 above
11) Restart Service Desk.
If JRE were to be upgraded in future, the certs needed to be imported again into that JRE.
Feedback
Yes
No
Powered by
