search cancel

TDM Portal: After replacing our expired SSL Certificates, No one is able to access Portal.

book

Article ID: 189740

calendar_today

Updated On:

Products

CA Test Data Manager (Data Finder / Grid Tools)

Issue/Introduction

We recently replaced our expiring SSL Certificates with new certificates. Portal seemed to be working fine after importing the new certificates. We also had to apply a new TDM license activation key. After cycling the CA Test Data Manager Portal service, we can no longer access Portal, even though the service is up and running. 

We are seeing the following error:

System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.18.47.201:443
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
 
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)

Environment

Release : 4.6 - 4.9

Component : CA Test Data Manager Portal

Cause

Looking at the TDM Portal startup.log we see the following errors thrown by the Tomcat web server, while attempting to initialize the SSL socket:

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-nio-443"]
java.io.IOException: Alias name <your Alias Name> does not identify a key entry

The error indicates that the keystore does not have a PrivateKeyEntry matching the given alias. Therefore, the certificate chain is incomplete, and you must import the private key into the keystore, and cycle the CA Test Data Manager Portal service. 

Resolution

Upon investigation, we see the cert file was imported, but not the Private Key. Working with the customer's security team, we imported the Private Key into the keystore.

Please make sure that keystore file includes, private key, root and intermediate certs. If any of these things miss in keystore file, work with security team to re-issue the keystore file.

Note: After importing the complete chain, Trusted Cert and Private Key, we saw an error thrown in the TDM startup.log, indicating an invalid character in the keystore path. Looking closely at the keystore path, defined in the application.properties file, we could not find an invalid character. The error was thrown because the CERT password, and KEY password, inside the keystore, were different. To get around this issue, we had to synchronize the two passwords, using the following keytool commands:

keytool -storepasswd
keytool -keypasswd

Additional Information

TDM Portal: What steps are needed to import a Third Party Certificate for Portal

https://knowledge.broadcom.com/external/article?articleId=189744