ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

When SDM restarts, connection to PAM is lost and Keystore must be recreated.

book

Article ID: 186632

calendar_today

Updated On:

Products

CA Service Desk Manager SUPPORT AUTOMATION- SERVER CA Service Desk Manager - Unified Self Service KNOWLEDGE TOOLS CA Service Desk Manager - Mobile Application CA Service Desk Manager - Xtraction

Issue/Introduction

After SDM Services are restarted (either for planned maintenance, or from unplanned outages), we receive the following error message when attempting to connect to PAM Workflows: 

"There is a problem accessing CA IT PAM Workflow - please try again or contact the administrator. Details: ; nested exception is: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)"

This seems to happen even after following approaches documented in https://knowledge.broadcom.com/external/article?articleId=9538

Cause

For some unknown reasons, the keystore access/contents seem to be getting mixed up

Environment

Release : 17.2

Component : SERVICE DESK MANAGER

Resolution

1) Backup NX.env,  pdmconf/NX.env_NT.tpl   pdmconf/NX.keystore    site/client_NX.env

2) Delete @NX_KEYSTORE_REF entry from NX.env,   NX.env_NT.tpl   client_NX.env

3) Delete pdmconf/NX.keystore file, Restart Service Desk,  now SDM ->  PAM Integration fails with SSL missing certificate error

4) Opened a command prompt to type:

5) 
REM  this shows the 8.3 notation of SDM install folder.  example: d:\progra~1\CA\servic~1
type c:\windows\paradigm.ini

6) 
REM  This shows the location of JRE that SDM is using, we need to place our command prompt in that folder.
nx_env | findstr /i JRE

7) 
REM      Change directory now

cd "D:/Progra~1/CA/SC/JRE/11.0.1/bin"
D:
java -version


8) Import the certificates  (below steps indicate a PAM server's SSL cert called capamtest.cer  which was issued by  capamtestissuing.cer, which was further from a root CA capamtestroot.cer)

keytool -importcert -file d:\progra~1\CA\servic~1\pdmconf\capamtest.cer -keystore ..\lib\security\cacerts -storepass changeit -alias capam
keytool -importcert -file d:\progra~1\CA\servic~1\pdmconf\capamtestissuing.cer -trustcacerts -keystore ..\lib\security\cacerts -storepass changeit -alias pam-issuing
keytool -importcert -file d:\progra~1\CA\servic~1\pdmconf\capamtestroot.cer -trustcacerts -keystore ..\lib\security\cacerts -storepass changeit -alias pam-root

9) ON PRIMARY SERVER:
In Windows, navigate to D:/Program Files/CA/SC/JRE/11.0.1/lib/security/ and copy the cacerts file.

10) ON SECONDARY SERVERS:
Navigate to D:/Program Files/CA/SC/JRE/11.0.1/lib/security/ and replace the cacerts file with the file in step 9 above

11)  Restart Service Desk.

If JRE were to be upgraded in future, the certs needed to be imported again into that JRE.