search cancel

Autosys Web Services SSL port is not available after upgrade from 11.x to 12.x

book

Article ID: 215932

calendar_today

Updated On:

Products

CA Workload Automation AE - Scheduler (AutoSys)

Issue/Introduction

The Autosys Webservices SSL URL is no longer working after upgrade from 11.3.6 to 12.0/12.0.1

Environment

Release : 12.0

Component : CA Workload Automation AE (AutoSys)

Cause

Keystore migration from 11.3.6 Autosys Web Server was not migrated to 12.x

 

Error in waae_webservices_wrapper.log  shows error described in : https://knowledge.broadcom.com/external/article?articleId=215930

 

cawa_installer.log has a warning message below:

 

2021-05-22 21:32:03,720 [main] INFO  com.ca.wla.ae.installer.util.CommandUtil - Read error stream = Warning:
2021-05-22 21:32:03,720 [main] INFO  com.ca.wla.ae.installer.util.CommandUtil - Read error stream = The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/CA/WorkloadAutomationAE/autouser.RLS/webserver/conf/.keystore_1621744322464 -destkeystore /opt/CA/WorkloadAutomationAE/autouser.ACE/webserver/conf/.keystore_1621744322464 -deststoretype pkcs12".
2021-05-22 21:32:03,737 [main] DEBUG com.ca.wla.ae.installer.util.CommandUtil - RetVal =0
2021-05-22 21:32:03,737 [main] DEBUG com.ca.wla.ae.installer.util.CommandUtil - RetVal =0
2021-05-22 21:32:03,737 [main] INFO  com.ca.wla.ae.installer.util.KeyStoreUtil - Alias from server.xml : rootca
2021-05-22 21:32:03,737 [main] INFO  com.ca.wla.ae.installer.util.KeyStoreUtil - Keystore update started by command .../opt/CA/WorkloadAutomationAE/JRE_WA/bin/keytool -importkeystore -srckeystore /opt/CA/WorkloadAutomationAE/autouser.ACE/webserver/conf/.keystore_1621744322464  -destkeystore /opt/CA/WorkloadAutomationAE/autouser.RLS/webserver/conf/.keystore -srcstoretype JKS -deststoretype BCFKS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /r12_dvd_mount/modules/JARS/bc-fips-1.0.1.jar -srcalias rootca -destalias rootca  -srcstorepass changeit -deststorepass changeit -srckeypass changeit -destkeypass changeit
2021-05-22 21:32:09,118 [main] INFO  com.ca.wla.ae.installer.util.CommandUtil - Read error stream = Importing keystore /opt/CA/WorkloadAutomationAE/autouser.ACE/webserver/conf/.keystore_1621744322464 to /opt/CA/WorkloadAutomationAE/autouser.RLS/webserver/conf/.keystore...
2021-05-22 21:32:09,210 [main] INFO  com.ca.wla.ae.installer.util.CommandUtil - Read error stream = Problem importing entry for alias rootca: java.security.KeyStoreException: trusted certificate entries are not password-protected.
2021-05-22 21:32:09,210 [main] INFO  com.ca.wla.ae.installer.util.CommandUtil - Read error stream = Entry for alias rootca not imported.
2021-05-22 21:32:09,446 [main] DEBUG com.ca.wla.ae.installer.util.CommandUtil - RetVal =0 

Resolution

As the keystore migration did not happen because of the keytool error, we need to migrate the keystore manually and/or request a new certificate for Autosys Web Server in r12 again

 

note: make sure there is a $AUTOUSER variable pointing to correct AUTOUSER location, example:  /opt/CA/WorkloadAutomationAE/autouser.ACE

 

Keystore Migration:

1) Identify the keystore associated to the webserver from /opt/CA/WorkloadAutomationAE/autouser.$AUTOSERV/webserver/conf/server.xml

 <Connector SSLEnabled="true" acceptCount="100" ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA2
56, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256" clientAuth="false" keystoreF
ile="/opt/CA/WorkloadAutomationAE/autouser.R12/webserver/conf/.keystore" keystorePass="changeit" keystoreType="BCFKS" maxThreads="400" port="9443" protocol="org.apache.coyote.http11.Http11NioProtocol" relaxedQueryCh
ars="|&lt;&gt;" scheme="https" secure="true" sslProtocol="TLS"/>

 

2) Assuming your Autosys instance name is ACE (change ACE in the below command to appropriate instance name), list the keystore contents:

/opt/CA/WorkloadAutomationAE/jre/bin/keytool -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath  $AUTOUSER/webserver/webapps/AEWS/WEB-INF/lib/bc-fips.jar -keystore $AUTOUSER/webserver/conf/.keystore -list -storepass changeit -storetype BCFKS -v

 

3) Stop Autosys web server first,   unisrvcntr stop waae_webserver.ACE

 

4) Backup the keystore above

mv $AUTOUSER/webserver/conf/.keystore $AUTOUSER/webserver/conf/.keystore__bkp

 

5) Migrate pre-upgrade keystore to r12 manually:

/opt/CA/WorkloadAutomationAE/jre/bin/keytool -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $AUTOUSER/webserver/webapps/AEWS/WEB-INF/lib/bc-fips.jar -v  -importkeystore -srckeystore $SOURCEFOLDER/.keystore -srcstoretype JKS -srcstorepass "changeit" -destkeystore $AUTOUSER/webserver/conf/.keystore -deststoretype BCFKS -deststorepass "changeit" 

$SOURCEFOLDER in the above is    /opt/CA/WorkloadAutomationAE/WorkloadAutomationAE_bkp_******    folder, which was created by the Autosys 12.x upgrade process

 

6) Once the above command is completed, verify the contents of the .keystore file by repeating Step#2  above

 

7) If the keystore has proper contents, then restart Autosys Web server (unisrvcntr start waae_webserver.ACE) and retest if the port is now available 

 

8) If the above still gives problems, requesting a brand new certificate is the best route.  Follow the steps in https://techdocs.broadcom.com/us/en/ca-enterprise-software/intelligent-automation/autosys-workload-automation/12-0/securing/customize-ssl-for-web-services.html  to get a new self signed certificate, or a vendor issued certificate.