V21 - No connection to the following CPs | No subject alternative names present

Products

CA Automic One Automation

Issue/Introduction

When attempting to connect to the AWI on version 21 where TLS is required, the following error shows in the AWI:

Connection to the AE system not possible. No connection to the following CPs could be established: [IP Adress]:8443

The AWI logs show the following:

2021-10-18 20:06:15,674 pool-1-thread-1 [DEBUG] NOLOGIN/- node0idhup65y46bawl6pqg7f52c70-0 +1 [com.uc4.ecc.backends.impl.dataservice.connection.ConnectionService] - Attempting to connect to Automation Engine at '[IP]:8443'...
2021-10-18 20:06:16,273 pool-1-thread-1 [DEBUG] NOLOGIN/- node0idhup65y46bawl6pqg7f52c70-0 +1 [com.uc4.ecc.backends.impl.dataservice.connection.ConnectionService] - Attempt to close connection made, but parameter is null.
2021-10-18 20:06:16,275 pool-1-thread-1 [DEBUG] NOLOGIN/- node0idhup65y46bawl6pqg7f52c70-0 +1 [com.uc4.ecc.backends.impl.dataservice.connection.ConnectionService] - Connection to Automation Engine failed at '[IP]:8443'.
java.util.concurrent.ExecutionException: java.io.IOException: Failed to connect to [IP]:8443
at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:205)
at com.uc4.ecc.backends.connection.ProductionConnectionFactory.open(ProductionConnectionFactory.java:97)
at com.uc4.ecc.backends.connection.ProductionConnectionFactory.createConnection(ProductionConnectionFactory.java:48)
at com.uc4.ecc.backends.Backend.createConnection(Backend.java:107)
at com.uc4.ecc.backends.impl.dataservice.connection.ConnectionService.connect(ConnectionService.java:72)
at com.uc4.ecc.backends.dataservice.connection.IConnectionService$pbryglu.connect(Unknown Source)
at com.uc4.ecc.plugins.login.api.BaseAutomationEngineLoginBehaviour.initiateLogin(BaseAutomationEngineLoginBehaviour.java:63)
at com.uc4.ecc.plugins.login.api.BaseAutomationEngineLoginBehaviour.initiateLogin(BaseAutomationEngineLoginBehaviour.java:40)
at com.uc4.ecc.plugins.login.backend.LoginService.login(LoginService.java:100)
at com.uc4.ecc.plugins.login.api.ILoginService$pbryglu.login(Unknown Source)
at com.uc4.ecc.plugins.login.view.LoginDialogPresenter.performAutomationEngineLogin(LoginDialogPresenter.java:266)
at com.uc4.ecc.plugins.login.view.LoginDialogPresenter.login(LoginDialogPresenter.java:231)
at com.uc4.ecc.framework.core.async.BaseRequestCoordinator$1$1.call(BaseRequestCoordinator.java:237)
at com.uc4.ecc.framework.core.pool.ContextAwareExecutorService$CallableImplementation.call(ContextAwareExecutorService.java:75)
at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:125)
at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:69)
at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:78)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.io.IOException: Failed to connect to [IP]:8443
at com.uc4.communication.WebSocketConnection.<init>(WebSocketConnection.java:235)
at com.uc4.communication.Connection.<init>(Connection.java:52)
at com.uc4.communication.Connection.open(Connection.java:160)
at com.uc4.ecc.backends.connection.ProductionConnectionFactory$2.call(ProductionConnectionFactory.java:77)
at com.uc4.ecc.backends.connection.ProductionConnectionFactory$2.call(ProductionConnectionFactory.java:68)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
... 3 common frames omitted
Caused by: java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: No subject alternative names present
at java.base/java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:396)
at java.base/java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2096)
at com.uc4.communication.WebSocketConnection.<init>(WebSocketConnection.java:214)
... 8 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names present
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:371)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:314)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:309)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:712)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:639)
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.process(HttpReceiverOverHTTP.java:164)
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.receive(HttpReceiverOverHTTP.java:79)
at org.eclipse.jetty.client.http.HttpChannelOverHTTP.receive(HttpChannelOverHTTP.java:131)
at org.eclipse.jetty.client.http.HttpConnectionOverHTTP.onFillable(HttpConnectionOverHTTP.java:169)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:540)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:395)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
... 1 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative names present
at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)
at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:101)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:452)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:426)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:292)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)
... 23 common frames omitted

Cause

This is caused by a mismatch between the keystore IP/DNS/FQDN and what is specified in the uc4config.xml file

Resolution

Have a security admin open the keystore and check the cn or common name assigned to the certificate/keystore. At least one CN needs to match what is in the uc4config.xml file for the AWI.

For example if the cn is FQDN.automic.com and the uc4config.xml file shows:

These do not match. Either the IP address, ##.##.###.###, must be added to the list of common names (an admin is needed for this), or the uc4config.xml file must be updated to use: