WA Agent FTP Job error: 'Error constructing trust manager' or 'performLogin failed'
search cancel

WA Agent FTP Job error: 'Error constructing trust manager' or 'performLogin failed'

book

Article ID: 436318

calendar_today

Updated On:

Products

ESP dSeries Workload Automation - Business Agents (dSeries) ESP dSeries Workload Automation ESP dSeries Workload Automation - System Agent (dSeries) ESP dSeries Workload Automation - Scheduler (dSeries)

Issue/Introduction

When running an FTP job via a Workload Automation (WA) Agent, the job fails with the following error messages in the job log:

suberror - performLogin failed 
Error constructing trust manager 234 
Security environment established - 
ready for negotiation(followed by certificate chain details)

Environment

Workload Automation agent: 12.1 or above

Cause

This issue occurs when the WA Agent's Java environment cannot validate the SSL/TLS certificate chain presented by the remote FTP server. This typically happens because the Root CA or Intermediate CA certificates from the remote server are missing from the agent's Java truststore (cacerts).

Resolution

To resolve this, user may need to  manually import the remote server's certificate chain into the agent's truststore.

Prerequisites

  • Access to the WA Agent server with administrative permissions.
  • The keytool utility (provided with the Java Runtime Environment).
  • The password for the Java keystore (default is changeit).

Step 1: Obtain the Remote Certificates, consult Network admin for more details.

  • Export the Root and Intermediate CA certificates from the remote FTP server (e.g., ftp.example.com).
  • Save these files (e.g., root_ca.cer, intermediate_ca.cer) to a temporary directory on the WA Agent server.

Step 2: Import the Certificates

  • This command will make changes to your system. Test before running.  The cacerts file used by the agent in Agent install directory.  The alias name must be unique for truststore.
    # Import the Root CA
    keytool -import -trustcacerts -alias remote_root_ca -file root_ca.cer -keystore "[Path_to_cacerts]" -storepass changeit 
    # Import the Intermediate CA
    keytool -import -trustcacerts -alias remote_int_ca -file intermediate_ca.cer -keystore "[Path_to_cacerts]" -storepass changeit

Step 3: Restart and Test

  • Ensure the OS user running the agent service has read permissions for the cacerts file.
  • Rerun the impacted FTP job to verify the connection is successful.

Step 4: Add Agent parameters  (Optional)

  • Add the following parameter to allow the agent to accept new certificates for future:
    ftp.client.ssl.accept_new_ca=true

 

Powered by Wolken Software