Issues were encountered connecting to PAM in the Test environment from other applications because the certificate in the keystore was expired. The Qual and Prod environments had self-signed certificates that were good for 100 years, so the steps in the documentation were followed to generate a new self-signed certificate (Create and Implement a Self-Signed Certificate). However, after doing so, PAM failed to start and when checking the boot.log file I found the following error:

"13:25:25,447 ERROR [StartUpInterceptor] Decrypt using DES failed org.bouncycastle.jcajce.provider.BaseSingleBlockCipher$BadBlockException: unable to decrypt block Decrypting using AES
13:25:25,456 ERROR [StartUpInterceptor] Failed to decrypt data
java.io.IOException: org.bouncycastle.jcajce.provider.BaseSingleBlockCipher$BadBlockException: unable to decrypt block
 at javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:128)

A number of different ways to generate the keystore and self-signed certificate were tried, but nothing seems to work. The OasisConfig.properties file was reverted to its original settings, the jars were re-signed using SignC2OJars.bat, and the ITPAM application was able to start up normally again. However, even reverting the OasisConfig.properties file and resigning the jars has not restored communication to Service Desk and Catalog.

ITPAM was uninstalled and reinstalled and it was then able to start up and run.

The Service Desk connector for ITPAM was downloaded from the download center (The Broadcom Support Website) and installed and configured using Installation and configuration instructions here: CA Service Management Solution Integration

The itpam.cer was imported into the SDM keystore, so it should have a valid certification path.

When testing the communication between ITPAM and Service Desk, a ITPAM process was run that just queries SDM to see if the values were correct, but the error “Message send failed” was returned to ITPAM. Checking the connection from the SDM side, the error message says “There is a problem accessing CA IT PAM Workflow - please try again or contact the administrator. Details: ; nested exception is: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target”. 

The test from CA Service Catalog was successful using the option on the Configuration tab for CA Process Automation. A request was submitted to see how it would go and, as expected, SC did trigger the PAM process, but then when it got to the step where it needed to log into SDM, it stalls out with the same “SOAP invocation failed: java.security.PrivilegedActionException: com.sun.xml.messaging.saaj.SOAPExceptionImpl: Message send failed” error received on the other tests.

Release : 4.3

Component : Process Automation

It was discovered that something had changed with the load balancer, so the certificate that was displaying when navigating to the vanity URLs was displaying a different version of the real certificate. Since it wasn’t the same one installed on the F5, that’s why it was returning the error. It was found that the wrong certificate was displayed. 

The corrected certificate was provided and installed.  After recycling services, the keystore had populated to all SDM servers.  After this communication between ITPAM and Service Desk was restored and working properly.