DLG_FLAGS_SEC_CERT_CN_INVALID error when trying to access the Spectrum OneClick web page with SSL enabled.

book

Article ID: 194119

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

When trying to access the Spectrum OneClick Web Page using SSL, the browser is producing the following error:
 
This Site Is Not Secure: DLG_FLAGS_SEC_CERT_CN_INVALID

Cause

There are three possible causes for this issue:

1. Browser’s cache-related problems;

2. Problems with website’s security certificate;

3. Missing he trusted root certificate for the Certification Authority (CA) on the site.

Environment

Release : 10.3.x , 10.4.x

Component : Spectrum OneClick

Resolution

We would first recommend that the user clears the browsers cache to see if that resolves the issue. If that does not resolve the issue, the Spectrum Administrator will need to see what is in the keystore to determine if this is being caused by an issue with the server or root certificate.

To review whats in the keystore, they can run the following commands:

cd <SPECROOT>/Java/bin

./keytool -list -v -keystore <SPECROOT>/custom/keystore/cacerts

 

When the list is generated you will want to review the privatekeyentry. Below is an example:

Alias name: tomcatssl
Creation date: May 8, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 3

Under this entry, you will want to ensure the root certificate is in the chain. If it is not, then it will need to be imported.

You will also want to review the certificate[1] entry as shown below:

Certificate[1]:
Owner: CN=spectrum.broadcom.com, OU=AIOPS, O=Broadcom, L=San Jose, ST=California, C=US

The CN value in the above entry must match the domain name used in the URL used to access the OneClick webpage. If these values do not match, that is what is throwing the error in the browser. The browser will try and match the CN or SAN (Subject Alternative Name) entry.

To resolve this issue, there are two options:

1. You can start with a fresh keystore and generate a self_signed certificate. Then you can create a .csr from this private key and send it to the CA. They will send you root, intermediate and server certs back to import. The steps for this are in our documentation below.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4/administrating/oneclick-administration/oneclick-server-communications-and-network-configuration/configure-oneclick-for-secure-sockets-layer.html

2. You can have the CA send you root, intermediate and server certs that are based off of a private key the CA also generates.

 

Option 1 is generally faster but you will just need to use a self-signed certificate in the interim.