UPM Patch Download Error - peer not authenticated
search cancel

UPM Patch Download Error - peer not authenticated

book

Article ID: 47325

calendar_today

Updated On:

Products

CA Client Automation - IT Client Manager CA Client Automation CA Client Automation - Patch Manager

Issue/Introduction

Download of some Patch Management (PM) Patches are in error.
In PM logs, error "peer not authenticated" appears. This problem occurs only for patches with files containing https in the url.
 
Example : 
In ITCM R14 following error appears in the logs <DSM Path>\PatchManagement\PMEngine*.log 
 
2016-09-22 09:47:45,728 [Dloader-2] ERROR [com.ca.pmengine.dlm] - Patch: FPA_23.0.0.162_x86.exe {2ea5a4f7-33fc-4f2d-a318-e93a6202a71d} failed  with exception detail: peer not authenticated
 

Environment

Client Automation - All versions.

Cause

This problem occurs if Patch Management is downloading a file via a Web Gateway Security (like : McAfee Web Gateway (Webwasher)) and if the url of the file contains https.
 
The Web Gateway adds its certificate in the SSL message sent to the PM machine. As this certificate is not known, "CertificateServer Key Exchange" fails with error "Certificate Unknown".

In the wireshark logs generated on the UPM machine we could see this :
 

Resolution

The solution is to add the Web Gateway certificate into the cacerts file of JRE used by ITCM tomcat.
 
1- Do a copy of file C:\Program Files (x86)\CA\SC\JRE\1.8.0_60\lib\security\cacerts as cacerts.ori
 
Remarks :

Adapt the path with the installation path of ITCM.
In ITCM 14, JRE version used is 1.8.0_60 but it may be change in future version.
 
 
2- Get an export file of the missing certificate.
 
Ask security team for an export of missing certificate.
 
or
 
 
If the certificate has already been imported in Windows it could be exported using mmc.
Follow the steps described in this Microsoft page in order to display the certificates in mmc :
 
 
Then certificate could be exported in a .cer file by right-clicking on it and choose All Tasks - Export... :
 

 
 
3- Execute this in a Command Prompt in order to import the missing certificate into JRE cacerts :
 
cd c:\Program Files (x86)\CA\SC\JRE\1.8.0_60\bin
keytool -import -alias aliasname -keystore "<..\lib\security\cacerts>" -file "certificate_file"
 
The password for keystore is by default : changeit
 
4- Then restart tomcat & IIS :
 
Caf stop tomcat
Iisreset
Caf start tomcat