How to import third party Cerrificate Authortity to the Aria Suite Lifecycle
search cancel

How to import third party Cerrificate Authortity to the Aria Suite Lifecycle

book

Article ID: 380595

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

When you want to establish secure connection to the endpoint or host which comes with unknown certificate chain, the LCM is unable to validate the chain.

 
Log Snippet (vrlcm.log)
 
2024-10-21T12:15:59.037Z ERROR vrlcm[1254] [http-nio-8080-exec-7] [c.v.v.l.l.s.LoadBalancerServiceImpl]  -- Error occurred while trying to authenticate to the Avi Controller
org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
...
Caused by: java.security.cert.CertificateException: Unable to construct a valid chain
        at org.bouncycastle.jsse.provider.ProvX509TrustManager.validateChain(ProvX509TrustManager.java:298) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
        at org.bouncycastle.jsse.provider.ProvX509TrustManager.checkTrusted(ProvX509TrustManager.java:257) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
        at org.bouncycastle.jsse.provider.ProvX509TrustManager.checkServerTrusted(ProvX509TrustManager.java:158) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
        at org.bouncycastle.jsse.provider.ExportX509TrustManager_7.checkServerTrusted(ExportX509TrustManager_7.java:49) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
        at org.apache.http.ssl.SSLContextBuilder$TrustManagerDelegate.checkServerTrusted(SSLContextBuilder.java:413) ~[aria-cloud-edition-common-library11-1.0.0-SNAPSHOT.jar!/:?]
        at org.bouncycastle.jsse.provider.ImportX509TrustManager_5.checkServerTrusted(ImportX509TrustManager_5.java:68) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
        at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.checkServerTrusted(ProvSSLSocketWrap.java:126) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
        ... 176 more
Caused by: java.security.cert.CertPathBuilderException: Unable to find certificate chain.
 
Use case:
You want to add the Load Balancer, which comes unknown CA (unknown for Aria Suite Lifecycle)

Environment

VMware Aria Suite Lifecycle 8.x

Cause

The certificate is marked as invalid as the Aria Suite Lifecycle does not have the all CA's in the certificate chain.

Resolution

In case you cannot import the certificate to the LCM locker, due to not having the private key, you can add the certificate to the Aria Suite Lifecycle key tool using steps:

Prerequisites
Please take snapshot of Aria Suite Lifecycle appliance.

Procedure

1. SSH / PuTTy into one Aria Automation virtual appliance in the cluster
2 .Run the following command that will execute the script 

bash -c "$(base64 -d <<< "IyEvYmluL2Jhc2gKY2xlYXIKZWNobyAtZW4gIlNjcmlwdCB0byBpbXBvcnQgdGhlIGNlcnRpZmljYXRlIHRvIHRoZSB2UkxDTSBrZXlzdG9yZVxuIgplY2hvICIiCnJlYWQgLXAgJ1Byb3ZpZGUgSVAgb3IgRlFETiBvZiBob3N0IGFuZCBwb3J0LCBsaWtlIHZjLnZjbG91ZC5sb2NhbCAnIGhvc3RuYW1lCmVjaG8gIiIKcmVhZCAtcCAnUHJvdmlkZSBwb3J0OiAnIHBvcnQKZWNobyAiIgpyZWFkIC1wICdQcm92aWRlIEFsaWFzIG5hbWUgeW91IHdhbnQgdXNlIGZvciB0aGlzIGNlcnRpZmljYXRlLCBsaWtlIGltcG9ydEE6ICcgYWxpYXMKZWNobyAiIgplY2hvIC1lbiAiLS0tLS0tIFlvdXIgaW5wdXRzIC0tLS0tLVxuIgplY2hvIC1lbiAiXG5ob3N0bmFtZTogJGhvc3RuYW1lIFxucG9ydDogJHBvcnQgXG5hbGlhczogJGFsaWFzIgoKCmVjaG8gLWVuICAiXG4tLS0tLS0gR2V0IGNlcnRpZmljYXRlIC0tLS0tLVxuIgplY2hvIHwgb3BlbnNzbCBzX2NsaWVudCAtY29ubmVjdCAkaG9zdG5hbWU6JHBvcnQgLXNob3djZXJ0cyA+ICAvdG1wL2NlcnRpZmljYXRlLmRlcgoKZWNobyAtZW4gICJcbi0tLS0tLSBJbmZvIGFib3V0IHRoZSBjZXJ0IC0tLS0tLVxuIgppbmZvPSQob3BlbnNzbCB4NTA5IC1pbiAvdG1wL2NlcnRpZmljYXRlLmRlciAtbm9vdXQgLXN1YmplY3QgLWlzc3VlciAtZGF0ZXMgLWZpbmdlcnByaW50KQoKZWNobyAtZW4gIiRpbmZvXG4iCmVjaG8gLWVuICItLS0tLSAtLS0tLSIKd2hpbGUgdHJ1ZTsgZG8gIGVjaG8gIiAiOwogICAgcmVhZCAtcCAiRG8geW91IHdhbnQgdG8gaW1wb3J0IGNlcnRmaWNhdGUsIHBsZWFzZSBzZWxlY3Q/ICh5L24pIiB5bgogICAgY2FzZSAkeW4gaW4KICAgICAgICBbWXldKiApIGJyZWFrOzsKICAgICAgICBbTm5dKiApIGV4aXQ7OwogICAgICAgICogKSBlY2hvICJQbGVhc2UgYW5zd2VyIHkgb3Igbi4iOzsKICAgIGVzYWMKZG9uZQoKZWNobyAtZW4gIi0tLS0tLSBJbXBvcnRpbmcgY2VydGlmaWNhdGUgLS0tLS0tXG4iCi91c3IvamF2YS9qcmUtdm13YXJlL2Jpbi9rZXl0b29sIC1pbXBvcnQgLXRydXN0Y2FjZXJ0cyAtYWxpYXMgJGFsaWFzIC1zdG9yZXBhc3MgY2hhbmdlaXQgLWNhY2VydHMgLWZpbGUgICAvdG1wL2NlcnRpZmljYXRlLmRlcgoKZWNobyAtZW4gIi0tLS0tLSBIZXJlIGlzIHRoZSBjZXJ0IHlvdSBhZGQgLS0tLS0tXG4iCi91c3IvamF2YS9qcmUtdm13YXJlL2Jpbi9rZXl0b29sIC1saXN0IC1zdG9yZXBhc3MgY2hhbmdlaXQgLWNhY2VydHMgLXYgLWFsaWFzICRhbGlhcwoKCmVjaG8gLWVuICIgLS0tLS0tIERvbmUgLi4uIC0tLS0tLSI=")"