Unable to send notifications via HTTPS for ESM monitored properties
search cancel

Unable to send notifications via HTTPS for ESM monitored properties

book

Article ID: 42918

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

Solution

Background

The CA API Enterprise Service Manager is capable of monitoring certain properties of Gateway clusters and appliances. It can also be configured to send notifications via SNMP, SMTP, and HTTP when certain conditions are met. This article pertains to using HTTP Secure to send HTTP requests using SSL/TLS encryption. Using HTTPS means that the client application must trust the server application. This trust is established via PKI and public certificates.

The CA API Gateway will be unable to transmit notifications via HTTPS under most conditions. The Gateway appliance may not trust the back-end server or service and as such will be unable to transmit an HTTPS request. This article will address this shortcoming.

It is worth noting that notifications are not transmitted by the Enterprise Service Manager itself. The Enterprise Service Manager pushes monitoring and notification rules to the target Process Controller. For example: Suppose an administrator needs to monitor the CPU utilization of a particular Gateway appliance. The administrator would configure the monitoring, threshold, and rule on ESM. ESM will push that configuration to the Process Controller of the Gateway appliance being monitored. The Process Controller would monitor the selected property and send notifications when an alert threshold is exceeded.?This means that the notification itself comes from the Process Controller of the Gateway being monitored--as opposed to ESM.

Presentation

The following error message may appear in the Process Controller log of the Gateway appliance being monitored via ESM:

com.l7tech.server.processcontroller.monitoring.MonitoringKernelImpl: Couldn't notify for HttpNotificationRule{url='https://10.242.14.157:8443/esmnotification'} NotificationRule{type=HTTP} com.[email protected]5d01e673: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

If this error is appearing then it indicates that the Process Controller is unable to establish trust with the remote system. Establishing trust between the Process Controller and remote system is documented in the Resolution section of this article.

Resolution

  1. Obtain the SSL certificate of the web server or service?receiving the HTTPS request.
  2. Copy this SSL certificate to the target Gateway via SCP/SFTP.
  3. Disable any existing monitoring properties in ESM that use the desired HTTPS endpoint.?
  4. Log on to the Gateway appliance as the ssgconfig user.?
  5. Select Option #3: Use a privileged shell (root).
  6. Execute the following command: /opt/SecureSpan/JDK/bin/keytool -import -alias "CN=server.domain.com" -file /home/ssgconfig/server.pem -keystore /opt/SecureSpan/JDK/jre/lib/security/cacerts?
NOTE: The values "server.domain.com" and "server.pem" should be substituted with the CN of the certificate and the file name of the certificate, respectively.?
  1. Restart the Gateway service: service ssg restart?
  2. Enable the desired monitoring properties and accompanying notification rules in ESM.?
  3. Observe a successful HTTPS request when an alert threshold is met

Environment

Release:
Component: APIESM
Powered by Wolken Software