Release : 10.3.x , 10.4.x
Component : Spectrum OneClick
There are three possible causes for this issue:
1. Browser’s cache-related problems;
2. Problems with website’s security certificate;
3. Missing he trusted root certificate for the Certification Authority (CA) on the site.
We would first recommend that the user clears the browsers cache to see if that resolves the issue. If that does not resolve the issue, the Spectrum Administrator will need to see what is in the keystore to determine if this is being caused by an issue with the server or root certificate.
To review whats in the keystore, they can run the following commands:
cd <SPECROOT>/Java/bin
./keytool -list -v -keystore <SPECROOT>/custom/keystore/cacerts
When the list is generated you will want to review the privatekeyentry. Below is an example:
Alias name: tomcatssl
Creation date: May 8, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 3
Under this entry, you will want to ensure the root certificate is in the chain. If it is not, then it will need to be imported.
You will also want to review the certificate[1] entry as shown below:
Certificate[1]:
Owner: CN=spectrum.broadcom.com, OU=AIOPS, O=Broadcom, L=San Jose, ST=California, C=US
The CN value in the above entry must match the domain name used in the URL used to access the OneClick webpage. If these values do not match, that is what is throwing the error in the browser. The browser will try and match the CN or SAN (Subject Alternative Name) entry.
To resolve this issue, there are two options:
1. You can start with a fresh keystore and generate a self_signed certificate. Then you can create a .csr from this private key and send it to the CA. They will send you root, intermediate and server certs back to import. The steps for this are in our documentation below.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/spectrum/10-4/administrating/oneclick-administration/oneclick-server-communications-and-network-configuration/configure-oneclick-for-secure-sockets-layer.html
2. You can have the CA send you root, intermediate and server certs that are based off of a private key the CA also generates.
Option 1 is generally faster but you will just need to use a self-signed certificate in the interim.