Upgrading Service Desk Manager (SDM) or configuring a new installation with SSL may result in connection failures between SDM and integrated components. While an OAuth token might be generated successfully, emails may fail to process, and integrations with CA Process Automation (PAM) or Service Catalog may be non-functional.

• Product: CA Service Desk Manager
• Releases: 17.1, 17.2, 17.3, 17.4
• Patches: 17.4 RU2 and higher
• Integrations: Maileater (Azure/Office 365 OAuth 2.0), CA Process Automation, CA Service Catalog
• Database/Browser: Applicable to all supported types

In the maileater_nxd.log located in the SDM install folder's log directory (with debug mode enabled), you may observe the following errors:

• keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
• Caused by: java.security.UnrecoverableKeyException: Password verification failed
• javax.mail.MessagingException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
• java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
• Caused by: java.security.UnrecoverableKeyException: Get Key failed: null

The main root cause is that the internal nx.keystore file is corrupt, or the NX_KEYSTORE_REF variable in the NX.env file (which stores the encrypted password for the keystore) is missing or mismatched following an upgrade or patch application.

When the nx.keystore is created the key should be populated in the NX.env file as the value:
@NX_KEYSTORE_REF=<encrypted line sequence>

Review the NX.env file, if this value is missing then there may have been a problem during the creation of the nx.keystore file.

NX_KEYSTORE_REF is the variable that stores the internal password for the nx.keystore.  This variable is encrypted and not accessible for end users.

For the nx.keystore file, which is located in the NX_ROOT/pdmconf directory, run these two commands (both must be run in sequence)

nxcd bin
pdm_perl pdm_keystore_mgr.pl -list -v

The above will display the contents of the nx.keystore file, using the NX_KEYSTORE_REF variable entry as the password.  SDM Services do not need to be running in order to try the above test.

Follow these steps in sequence to recreate the internal keystore and re-import necessary certificates.

Note: If using a multi-server environment (Background/Standby/Application), perform the deletion steps on all servers but perform the import on the Primary/Background server first.

1. Backup Existing Configuration

Before making changes, copy the following files to a separate directory (do not simply rename them in the same folder):

• NX.env (located in the SDM install directory)
• pdmconf\NX.keystore
• site\client_nx.env
• Collect all Root CA certificate files needed for Catalog, PAM, or Maileater.

2. Recreate the Keystore

1. Stop SDM services on all servers.
2. Delete the NX_KEYSTORE_REF entry from the NX.env file.
3. Delete the file NX_ROOT\pdmconf\NX.keystore.
4. Delete the NX_KEYSTORE_REF entry from NX_ROOT\site\client_nx.env.
5. Restart SDM services on the Primary/Background server. Wait several minutes for the NX.keystore and NX_KEYSTORE_REF variable to regenerate.
   
   
6. Run the following two commands from an admin command prompt, to review the contents of the NX.keystore:
   
   nxcd bin
   pdm_perl pdm_keystore_mgr.pl -list -v
   
   If there are no certificates listed, follow the instructions below (Import Certificates) to add the necessary certificates.

3. Import Certificates

1. Open a command prompt and navigate to the SDM bin directory: nxcd bin.
2. Run the following command for each certificate file (Maileater, PAM, Catalog):
   cmd

   pdm_perl pdm_keystore_mgr.pl -import <path_to_certificate_file>

3. Verify the contents of the keystore:
   cmd

   pdm_perl pdm_keystore_mgr.pl -list -v

4. Synchronize Servers

1. Verify that NX_KEYSTORE_REF in NX.env matches the entry in site\client_nx.env.
2. Copy the newly generated NX_ROOT\pdmconf\NX.keystore to the same directory on all other SDM servers (Standby/Application).
3. Restart SDM services on all servers.

The NX.keystore is an internal file used strictly for product integrations (Maileater, PAM, Catalog). It is not used for the SSL certificates implemented on Tomcat or IIS for web access.

The NX.keystore is NOT used to store any SSL certificates that are used to implement SSL on the Tomcat/IIS Server.

Please review the KB article on enabling debug logging in for maileater in Service Desk Manager.