Switch to HTTPS - Execution Servers Cannot Reconnect

book

Article ID: 222018

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio)

Issue/Introduction

After following the instructions in the 2 KB articles below, my NAC and NES are failing to connect over 8443/HTTPS. 

How To Connect Management Server To Execution Servers Using SSL

and

Disable Management Server Port 8080

Cause

The problem was found to be caused by a mismatch in SSL Certificates used by the NAC and NES. 

Detail:

After applying 6.7.0.398 the environment in question experienced a problem with agents becoming unreachable. That problem, a solution and a workaround is described in this KB: Nolio Agents Unreachable After 6.7.0.b398

The workaround was applied to the environment in question. This means that the NES servers are using the old/expired certificates. So, when the NAC (with the new certificate) tried connecting to the NES via HTTPS/8443 (using the old certificate), it generates the following error in the logs/active_mq_nes.log on the NES:

- Could not accept connection from null: java.io.IOException: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

 

 

Environment

Release : 6.7

Component : CA RELEASE AUTOMATION ADMINISTRATION

 

Resolution

In theory, there are a couple of options to solve this. The first option is considered standard/official. The others should be okay. They just haven't been fully tested/certified:

The options are:

  1. Use the solution outlined in Nolio Agents Unreachable After 6.7.0.b398. This way the NES can go back to using the new certs and the NACs connection to the NES can be done without any special changes. 
  2. Use the old nolio.jks on the management server. Not recommended. 
  3. Configure Tomcat On NAC and NES to use the new nolio.jks certificates. Ideas on how this can be done can be found in more detail below. 
  4. Implement your own custom certificates at the Management and Execution Servers. This can be accomplished by following the steps outlined by the documentation, here: Secure Communications
    • The following URL/KB (ignoring references to ASAP - as 6.7 doesn't have ASAP anymore) can be used as a companion to the "Secure Communications" page - to explain some of the technical aspects touched on by the "Secure UI Communication" section: Secure Communications With Signed Certificates

 

 

Option Detail: Configure Tomcat On NAC and NES to use the new nolio.jks certificates

First, no changes should be needed on the NAC for this option. If it has 6.7.0.398 applied then it should already have the new certificate in place and being used.

Next, these steps assume that the steps in the "Workaround" section of Nolio Agents Unreachable After 6.7.0.b398 were applied. 

To use option the following changes would be needed on the NES that you want to connect to via HTTPS/8443:

  1. Make sure that the new certs in the NES/conf folder are named nolionew.jks and keystorenew.jks AND that the old/expired certs are in the same folder and named nolio.jks and keystore.jks. 
  2. Update conf/server.xml:
    • Update the 8443 connector to use keystoreFile=conf/nolionew.jks
  3. Modify two lines in webapps/execution/WEB-INF/jms.properties:
    • jms.key.store=conf/keyStorenew.jks
    • jms.trust.store=conf/nolionew.jks
  4. Modify one line in webapps/execution/WEB-INF/distributed.properties
    • jmx.web.console.ssl.keystore.path=conf//nolionew.jks
  5. Modify webapps/execution/WEB-INF/activemq-broker-nes.xml
    • uncomment bean id="sslPassword"
    • uncomment amq:sslContext
    • uncomment amq:transportConnector name="ssl" uri="nio+ssl://..."
    • comment amq:transportConnector url="nio://..."
  6. Restart NES Service
  7. Change NES config in ROC UI to use 8443 and HTTPS protocol.