Hi, due to some LDAP issues I was going to check/change our performance center portal LDAP authentication configuring with the SsoConfig tool. 
However I am getting errors when trying to access "LDAP Authentication" menu. For some reason it states "cannot connect to Dx Netops SSO web service"  But the service is running.
Restart did not help. These are the steps I am trying + the error I get:

SSO Configuration:
1. DX NetOps
Choose an option > 1

SSO Configuration/DX NetOps:
1. LDAP Authentication
2. SAML2 Authentication
3. Performance Center
4. Single Sign-On
5. Test LDAP
6. Export SAML2 Service Provider Metadata
7. Enable FIPS
8. Performance Center Local Password Authentication
9. Enable or Disable a user account.
Choose an option > 1

SSO Configuration/DX NetOps/LDAP Authentication:
Jun 19, 2023 3:53:20 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging
WARNING: Interceptor for {http://netqos.com/SingleSignOnWS}SingleSignOnWSSoapService#{http://netqos.com/SingleSignOnWS}GetPropertyLevel has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Could not send Message.
        at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:67)
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
        at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:528)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:439)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:354)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:312)
        at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
        at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140)
        at com.sun.proxy.$Proxy69.getPropertyLevel(Unknown Source)
        at com.ca.sa.sso.config.Utility.getValue(Utility.java:158)
        at com.ca.sa.sso.config.Utility.getCurrentPropertyValue(Utility.java:197)
        at com.ca.sa.sso.config.SsoConfig.priorityMenu(SsoConfig.java:1011)
        at com.ca.sa.sso.config.SsoConfig.categoryMenu(SsoConfig.java:819)
        at com.ca.sa.sso.config.SsoConfig.productMenu(SsoConfig.java:782)
        at com.ca.sa.sso.config.SsoConfig.<init>(SsoConfig.java:751)
        at com.ca.sa.sso.config.SsoConfig.main(SsoConfig.java:73)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.base/java.lang.reflect.Method.invoke(Unknown Source)
        at com.zerog.lax.LAX.launch(Unknown Source)
        at com.zerog.lax.LAX.main(Unknown Source)
Caused by: org.apache.cxf.transport.http.HTTPException: HTTP response '400: Bad Request' when communicating with https://hostname:8182/pc/center/webservice/sso?WSDL
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.doProcessResponseCode(HTTPConduit.java:1643)
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1650)
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1592)
        at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1389)
        at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
        at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:689)
        at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63)
        ... 21 more

Cannot connect the to DX NetOps SSO Web Service.
Check if DX NetOps is running and retry.

root@hostname:/opt/CA/PerformanceCenter# systemctl status caperfcenter_sso
● caperfcenter_sso.service - DX NetOps Portal SSO
   Loaded: loaded (/etc/systemd/system/caperfcenter_sso.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2023-06-19 15:47:15 CEST; 6min ago
  Process: 3551 ExecStart=/opt/CA/PerformanceCenter/sso/bin/caperfcenter_sso start sysd (code=exited, status=0/SUCCESS)
  Process: 833 ExecStartPre=/opt/CA/PerformanceCenter/Tools/bin/checkMySQL.sh localhost 3306 (code=exited, status=0/SUCCESS)
 Main PID: 3658 (PerfCenter-sso)
   CGroup: /system.slice/caperfcenter_sso.service
           ├─3658 /opt/CA/PerformanceCenter/sso/bin/PerfCenter-sso /opt/CA/PerformanceCenter/sso/conf/wrapper.conf wrapper.syslog.ident=caperfcenter_sso wrapper.pidfile=/opt/CA/Perfor...
           └─3862 /opt/CA/jre/bin/java -Djetty.home=/opt/CA/PerformanceCenter/jetty -Djetty.base=/opt/CA/PerformanceCenter/sso -Djetty.http.port=8381 -XX:MaxMetaspaceSize=128m -Dorg.a...

Jun 19 15:46:54 hostname systemd[1]: Starting DX NetOps Portal SSO...
Jun 19 15:47:11 hostname caperfcenter_sso[3551]: Starting DX NetOps Portal SSO...
Jun 19 15:47:11 hostname caperfcenter_sso[3551]: CEF:0|Broadcom|DX NetOps Portal SSO|22.2.8|100|STARTING SERVICE|1|user=root
Jun 19 15:47:15 hostname caperfcenter_sso[3551]: Waiting for DX NetOps Portal SSO......
Jun 19 15:47:15 hostname caperfcenter_sso[3551]: running: PID:3658
Jun 19 15:47:15 hostname systemd[1]: Started DX NetOps Portal SSO.
root@hostname:/opt/CA/PerformanceCenter#

Release : 22.2.7+

It is a problem related to Jetty 10 we introduced in 22.2.7;
Jetty 10 implements SNI validation in the client side when SSL is enabled.
SsoConfig tool uses the hostname of the servers when accessing SSO
if the server hostname is not included in the SSL certificate, the server returns an error because the SNI check fails.

Compare the

output of “hostname -f” and
the certificate in use, please.

Initial test:

We expect the
curl -k -v https://$(hostname):8182/pc/center/webservice/sso?WSDL 
will return 400 and SNI error

Workaround is:

1. Edit PC/start.d/ssl.ini

2. add a new line at the end:
   jetty.ssl.sniHostCheck=false

3. restart the portal
   systemctl stop caperfcenter_console
   systemctl start caperfcenter_console
   
   
4. Test curl again:
   curl -k -v https://$(hostname):8182/pc/center/webservice/sso?WSDL 

5. Validate the portal is accessible via HTTPS and you can log in

DE569813

In some cases the communication may be on a different port than above i.e 443 instead of 8182.