VNA Gateway Operational Status is down after restarting the wildfly service
search cancel

VNA Gateway Operational Status is down after restarting the wildfly service

book

Article ID: 279047

calendar_today

Updated On:

Products

Network Observability CA Performance Management

Issue/Introduction

After installing PM and VNA 23.3.6, enabling HTTPS with a self-signed certificate on Portal and VNA, and adding the VNA Gateway to the Portal, the Operational Status was up until we restarted the wildfly service this morning after editing the opt/CA/VNA/plugins/VeloCloud\ Plugin/config/inventory/edges.perspective file.

Environment

DX NetOps Performance Management and DX NetOps Virtual Network Assurance: Any version

Cause

The VNA self-signed certificate was not imported into the DC jre/lib/security/cacerts file.

In the /opt/IMDataCollector/apache-karaf-4.4.3/data/log/vna.log file:

ERROR | Grizzly(2)       | 2024-02-08T08:48:32,240 | SDNInventory | .impl.SdnInventoryUpdateListener  876 | connectionClosed: | SDN connection 6836 is closed with reason: CloseReason[1001].  Set the OperStatus to DOWN with error code SUCCESS
INFO  | Grizzly(2)       | 2024-02-08T08:48:32,241 | SDNPerformance | mpl.SdnPerformanceUpdateListener   60 | connectionClosed: | The performance connection of SDN gateway 6836 closed: CloseReason[1001]
INFO  | nnector-thread-1 | 2024-02-08T08:53:32,333 | SDNInventory | a.im.dm.sdn.config.SdnGatewayMgr  493 | reconnect: | Failed to reconnect SDN Gateway 6836 with start time: Thu Feb 8 8:45:25 2024 -0300
INFO  | nnector-thread-1 | 2024-02-08T08:58:32,355 | SDNInventory | a.im.dm.sdn.config.SdnGatewayMgr  493 | reconnect: | Failed to reconnect SDN Gateway 6836 with start time: Thu Feb 8 8:45:25 2024 -0300

In the /opt/IMDataCollector/apache-karaf-4.4.3/data/log/karaf.log file:

2024-02-08T08:53:32,317 | ERROR | nnector-thread-1 | ExceptionLog                     | .ca.im.core.util.ExceptionLogger   99 | 37 - com.ca.im.common.core.util - 23.3.6.RELEASE-2 |  | A NEW application exception occurred (Key=########################) : SDN gateway 6836 inventory listener received an exception : SSL handshake has failed
jakarta.websocket.DeploymentException: SSL handshake has failed

Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching <vna_hostname> found.

Resolution

Export the self-signed certificate from the VNA and import it into the DC jre/lib/security/cacerts file.

First, we also added the short hostname in SAN (Subject Alternate Name), as it doesn't use CN on VNA host:

keytool -genkey -alias cavna -keyalg RSA -keysize 2048 -validity 730 -dname "CN=<VNA_hostname>, OU=<Organization_Unit>, O=<Organization>, L=<Location>, ST=<State>, C=<Country_two_chars>" -ext "SAN=IP:xx.yy.ww.zz,dns:<short_hostname>,dns:<FQHN>" -keystore /data/CA/VNA/wildfly/standalone/configuration/keystore.jks

Restart the Wildfly service:

systemctl stop wildfly

systemctl start wildfly

Then export the certificate on the VNA host:

cd /opt/CA/VNA/wildfly/standalone/configuration/

keytool -export -keystore keystore.jks -alias cavna -file vna.cer

Then import the certificate to the DC host:

cd /opt/IMDataCollector/jre/lib/security

keytool -importcert -alias cavna -file vna.cer -keystore cacerts

If needed restart the Data Collector:

systemctl stop dcmd

systemctl start dcmd

Additional Information

curl -u admin:PASSWORD  -X GET --header 'Accept:text/plain' http://127.0.0.1:8080/vna/rest/v1/admin/ping

curl -k -u admin:PASSWORD  -X GET --header 'Accept:text/plain' https://127.0.0.1:8443/vna/rest/v1/admin/ping

curl -vk -u<username> https://VNA_host:8443/vna

Powered by Wolken Software