UPM Patch Download Error - peer not authenticated
Article ID: 47325
Updated On:
Products
CA Client Automation - IT Client Manager
CA Client Automation
CA Client Automation - Patch Manager
Issue/Introduction
Download of some Patch Management (PM) Patches are in error.
In PM logs, error "peer not authenticated" appears. This problem occurs only for patches with files containing https in the url.
Example :
In ITCM R14 following error appears in the logs <DSM Path>\PatchManagement\PMEngine*.log
2016-09-22 09:47:45,728 [Dloader-2] ERROR [com.ca.pmengine.dlm] - Patch: FPA_23.0.0.162_x86.exe {2ea5a4f7-33fc-4f2d-a318-e93a6202a71d} failed with exception detail: peer not authenticatedEnvironment
Client Automation - All versions.
Cause
This problem occurs if Patch Management is downloading a file via a Web Gateway Security (like : McAfee Web Gateway (Webwasher)) and if the url of the file contains https.
The Web Gateway adds its certificate in the SSL message sent to the PM machine. As this certificate is not known, "CertificateServer Key Exchange" fails with error "Certificate Unknown".
In the wireshark logs generated on the UPM machine we could see this :
Resolution
The solution is to add the Web Gateway certificate into the cacerts file of JRE used by ITCM tomcat.
Adapt the path with the installation path of ITCM.
1- Do a copy of file C:\Program Files (x86)\CA\SC\JRE\1.8.0_60\lib\security\cacerts as cacerts.ori
Remarks :
Adapt the path with the installation path of ITCM.
In ITCM 14, JRE version used is 1.8.0_60 but it may be change in future version.
2- Get an export file of the missing certificate.
Ask security team for an export of missing certificate.
or
If the certificate has already been imported in Windows it could be exported using mmc.
Follow the steps described in this Microsoft page in order to display the certificates in mmc :
Then certificate could be exported in a .cer file by right-clicking on it and choose All Tasks - Export... :
3- Execute this in a Command Prompt in order to import the missing certificate into JRE cacerts :
cd c:\Program Files (x86)\CA\SC\JRE\1.8.0_60\bin
keytool -import -alias aliasname -keystore "<..\lib\security\cacerts>" -file "certificate_file"
The password for keystore is by default : changeit
4- Then restart tomcat & IIS :
Caf stop tomcat
Iisreset
Caf start tomcat
Feedback
Yes
No
Powered by
