FSS UI Certificate Expired so not loading

ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

FSS UI Certificate Expired so not loading

book

Article ID: 4784

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

FSS UI stopped loading up recently. It was working before.

No change on the Policy server or OS has been made recently.

Following error message is displayed in IE.

<Please see attached file for image>

Cause

The FSS UI certificate that is shipped with the above version of Policy server has expired effectively from October 16, 2016.

So, post this date, the Java security wouldn't allow FSS UI to load due to expired certificate.

How to validate the certificate expiry date

Open Java control panel
Click Security --> Manage Certificates

<Please see attached file for image>

Double Click the certificate issued to "CA Inc"

<Please see attached file for image>

Note the Validity date as "October 16 , 2016"

<Please see attached file for image>

Alternatively, if you enable the Java tracing from Java control panel, then you will see the certificate expiry related error as below :

<Please see attached file for image>

Environment

Policy Server : Affected upto 12.52 SP1 CR6 and 12.52 SP2 CR1OS : ANYWeb Server : ANYJava : 1.7 or 1.8

Resolution

Add the FSS UI site URL as exception in the Java control panel.

Open Java control panel.
Click Security --> Edit Site List

<Please see attached file for image>

class="image-6 jive-image" style="font-weight: inherit; font-style: inherit; font-family: inherit;" src="https://communities.ca.com/servlet/JiveServlet/downloadImage/38-5569-104190/pastedImage_8.png" alt="" width="538" height="570">

Click Add and add the site in the following format : http://hostname:<port>/ For e.g In the following case the FSS UI Url is : http://ps1252sp2/siteminder/smadmin2_en.html (port being default 80 ) so the site that needs to be added is http://ps1252sp2:80/

<Please see attached file for image>

class="image-7 jive-image" style="font-weight: inherit; font-style: inherit; font-family: inherit;" src="https://communities.ca.com/servlet/JiveServlet/downloadImage/38-5569-104191/pastedImage_9.png" alt="" width="1275" height="675">

Testing

1. Delete browser history and launch FSSUI

2. Click the check box below to accept the security warning and click Run

<Please see attached file for image>

class="jive-image image-8" style="font-weight: inherit; font-style: inherit; font-family: inherit;" src="https://communities.ca.com/servlet/JiveServlet/downloadImage/38-5569-104192/pastedImage_13.png" alt="" width="563" height="379">

3. You will then be shown the FSS UI login page

<Please see attached file for image>

class="image-9 jive-image" style="font-weight: inherit; font-style: inherit; font-family: inherit;" src="https://communities.ca.com/servlet/JiveServlet/downloadImage/38-5569-104193/pastedImage_14.png" alt="" width="746" height="548">

Resolution

CA is working on renewing the expired certificate. If you can't utilise the workaround provided , please open a support case so we can provide you the renewed certificate as a development fix.

Attachments

1558715689968000004784_sktwi1f5rjvs16tww.png get_app

1558715688240000004784_sktwi1f5rjvs16twv.png get_app

1558715686232000004784_sktwi1f5rjvs16twu.png get_app

1558715684318000004784_sktwi1f5rjvs16twt.png get_app

1558715682540000004784_sktwi1f5rjvs16tws.png get_app

1558715680715000004784_sktwi1f5rjvs16twr.png get_app

1558715678564000004784_sktwi1f5rjvs16twq.png get_app

1558715676613000004784_sktwi1f5rjvs16twp.png get_app

1558715674458000004784_sktwi1f5rjvs16two.png get_app

Feedback

thumb_up Yes

thumb_down No