VNA Gateway Operational Status is down after restarting the wildfly service
search cancel

VNA Gateway Operational Status is down after restarting the wildfly service

book

Article ID: 279047

calendar_today

Updated On: 09-23-2024

Products

Network Observability

Issue/Introduction

After installing PM and VNA 23.3.6, enabling HTTPS with a self-signed certificate on Portal and VNA, and adding the VNA Gateway to the Portal, the Operational Status was up until we restarted the wildfly service this morning after editing the opt/CA/VNA/plugins/VeloCloud\ Plugin/config/inventory/edges.perspective file.

Environment

DX NetOps Performance Management 23.3.6 and DX NetOps Virtual Network Assurance 23.3.6

Cause

The VNA self-signed certificate was not imported into the DC jre/lib/security/cacerts file.

In the /opt/IMDataCollector/apache-karaf-4.4.3/data/log/vna.log file:

ERROR | Grizzly(2)       | 2024-02-08T08:48:32,240 | SDNInventory | .impl.SdnInventoryUpdateListener  876 | connectionClosed: | SDN connection 6836 is closed with reason: CloseReason[1001].  Set the OperStatus to DOWN with error code SUCCESS
INFO  | Grizzly(2)       | 2024-02-08T08:48:32,241 | SDNPerformance | mpl.SdnPerformanceUpdateListener   60 | connectionClosed: | The performance connection of SDN gateway 6836 closed: CloseReason[1001]
INFO  | nnector-thread-1 | 2024-02-08T08:53:32,333 | SDNInventory | a.im.dm.sdn.config.SdnGatewayMgr  493 | reconnect: | Failed to reconnect SDN Gateway 6836 with start time: Thu Feb 8 8:45:25 2024 -0300
INFO  | nnector-thread-1 | 2024-02-08T08:58:32,355 | SDNInventory | a.im.dm.sdn.config.SdnGatewayMgr  493 | reconnect: | Failed to reconnect SDN Gateway 6836 with start time: Thu Feb 8 8:45:25 2024 -0300

In the /opt/IMDataCollector/apache-karaf-4.4.3/data/log/karaf.log file:

2024-02-08T08:53:32,317 | ERROR | nnector-thread-1 | ExceptionLog                     | .ca.im.core.util.ExceptionLogger   99 | 37 - com.ca.im.common.core.util - 23.3.6.RELEASE-2 |  | A NEW application exception occurred (Key=ff1c2249032b6d06f5104e070ef9014e827d34ee) : SDN gateway 6836 inventory listener received an exception : SSL handshake has failed
jakarta.websocket.DeploymentException: SSL handshake has failed

Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching <vna_hostname> found.

Resolution

Export the self-signed certificate from the VNA and import it into the DC jre/lib/security/cacerts file.

First, we also added the short hostname in SAN (Subject Alternate Name), as it doesn't use CN on VNA host:

Then export the certificate on the VNA host:

cd /optCA/VNA/wildfly/standalone/configuration/

keytool -export -keystore keystore.jks -alias cavna -file vna.cer

Then import the certificate to the DC host:

cd /opt/IMDataCollector/jre/lib/security

keytool -importcert -alias cavna -file vna.cer -keystore cacerts

Additional Information

curl -u admin:PASSWORD  -X GET --header 'Accept:text/plain' http://127.0.0.1:8080/vna/rest/v1/admin/ping

curl -k -u admin:PASSWORD  -X GET --header 'Accept:text/plain' https://127.0.0.1:8443/vna/rest/v1/admin/ping

Powered by Wolken Software