After upgrading a Linux agent from 12.3 to 21.0, the agent will not start. the logfile shows the following:
U02000072 Connection to system ‘SYSTEM’ initiated.
U02000379 Initiating connection to server ‘SYSTEM’ using websocket URI: SERVERNAME:8443/agent’.
U02000377 Certificate loading from file …
…
U02000398 Loading certificated from the directory ‘./security’ that is specified in the parameter ‘AgentSecurityFolder’.\
U02000376 Could not parse certificate ‘./security/AGENTNAME.pem’. Please make sure that the certificated in PEM format.
U02000313 Communication error with partner ‘*SERVER’, error: ‘TLS-handshake/337047585(certificate verify failed (SSL routines, tls_process_server_certificate))’.
U02000010 Connection to Server ‘SYSTEM/unknown’ terminated.
U02000010 Connection to server ‘SYSTEM/[IP ADDRESS]:8443’ terminated.
U02000074 Connecting to system ‘SYSTEM’ is not possible.
U02003073 Agent Prozess ‘AGENT,PID=136418’ shutdown has been initiated.
U02000041 Shutdown agent ‘AGENTNAME’.
U02000002 Agent ‘AGENTNAME’ version ’21.0.3+hf.1.build.23’ ended abnormally
The agent originally showed up in the Administration perspective as 12.3. After deleting the agent from the AWI, the error persists.
Release : 21.0
Component: Automation Engine
Sub-Component: Agent Unix
Three possible causes:
Missing SAN (DNS) in the Server Certificate in SSLCertDir
The agent's ini file has an incorrect or missing trustedCertFolder= setting being used to connect to the JCP
There is a missing intermediary or root certificate
Keystore is in the wrong format (JKS vs PKCS12)
To see more information about the certificate, go to the server the JCP is on and run the following command:
keytool -v -list -keystore [full path to where the keystore is located]\[keystore filename and extension]
The certificates SAN needed to include:
IP Address for the AE server
Servername for the AE server
Fully qualified domain name (FQDN) fro the AE server
Intermediary and root certificate (if used an Internal CA or self-signed) should be present as well on the SSLCertDir or trustedCertFolder
trustedCertFolder= must be the correct folder where the certificate that matches the JCP keystore is located