Unable to contact the Data Aggregator after an upgrade when configured to use https
search cancel

Unable to contact the Data Aggregator after an upgrade when configured to use https

book

Article ID: 231760

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Unable to start the Data Aggregator after an upgrade

Data Aggregator shows as failed after an upgrade

The certificate used on the Data Aggregator (DA) is configured to use multiple Subject Alternative Names (SAN)

REST calls fail with no response when configured for https, but succeed when reverted to http.

The following error is shown in the karaf.log:

Could not start the servlet context for context path []
java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)

Environment

Release : 21.2.3+

Component : PMAGGR

Cause

The newly required $Server parameter is missing.  This is required when using a Data Aggregator with HTTPS and have multiple Subject Alternative Name ( SAN ) entries 

Resolution

This issue has been fixed in DX Netops 21.2.7 and later:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/performance-management/21-2/release-notes/fixed-issues.html#concept.dita_dffccc4e37aafcca90f52a0d259b75e6551f37ff_2127Fixes

Symptom: When using a HTTPS certificate with multiple Subject Alternate Name entries with the data Aaggregator, an exception is thrown with the following message: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory.

Resolution: With this fix, the jetty XML has been upgraded, and now uses the org.eclipse.jetty.util.ssl.SslContextFactory$Server class that supports multiple Subject Alternate Name entries in the certificate.
(21.2.7, DE524843, 32973477)


Additional Information

WORKAROUND for versions 21.2.3->21.2.6:

Note: This will need to be accomplished on BOTH Data Aggregators if using Fault Tolerance

1. Edit /opt/IMDataAggregator/apache-karaf-*/etc/jetty.xml

2. Change this entry:

<New id="sslContextFactory"
       class="org.eclipse.jetty.util.ssl.SslContextFactory">

to

<New id="sslContextFactory"
       class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">

3. Restart the dadaemon process either by systemctl or forcing a failover if using fault tolerance

Powered by Wolken Software