Spectrum Webapp not working after upgrade to NetOps 21.2
Article ID: 220282
Updated On:
Products
Issue/Introduction
We upgraded spectrum from 20.2.x to 21.2.x. Post the upgrade we are unable to launch Webapp.
We have both one click and webapp configured to use https using a self signed cert. This was working fine prior to the upgrade. I see below errors in the tomcat log:
Jul 20, 2021 14:51:17.959 (https-jsse-nio-443-exec-6) - IOException while connecting to webapp
Jul 20, 2021 14:51:17.959 (https-jsse-nio-443-exec-6) - Trying with localhost
We checked <SPECROOT>/webtomcat/bin/logs/webswing.log as well, and this is showing the following error:
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names present
Environment
DX NetOps Spectrum : 21.2.x
OS: Linux
Cause
Due to security enhancements in NetOps 21.2, webtomcat and webswing now require additional parameters in config files to authenticate over SSL.
Resolution
#1. First, add Subject Alternative Name (SAN) to the self-signed certs. Since the certs were already created, they will need to be deleted first. If you already have SAN configured in your cert, move to step 3.
Note: cert(s) plural is mention here because due to previous requirements, a tomcatssl-localhost cert was required to access webtomcat. If you are upgrading from an earlier version than 10.4.2, you may not have this already. See here for more details on cert tomcatssl-localhost: https://knowledge.broadcom.com/external/article?articleId=196227
From $SPECROOT/Java/bin:
keytool -delete -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts
keytool -delete -alias tomcatssl-locahost -keystore $SPECROOT/custom/keystore/cacerts
#2. Then generate the new certs and adding "SAN" info:
keytool -genkey -alias tomcatssl -keyalg RSA -keystore $SPECROOT/custom/keystore/cacerts -ext "SAN=IP:xxx.xxx.xxx.xxx,DNS:myserver.mydomain.com"
keytool -genkey -alias tomcatssl-localhost -keyalg RSA -keystore $SPECROOT/custom/keystore/cacerts -ext "SAN=IP:xxx.xxx.xxx.xxx,DNS:myserver.mydomain.com"
#3. Edit the following webswing files: <SPECROOT>/webtomcat/bin/webswing.properties and <SPECROOT>/webtomcat/bin/webswing-admin.properties
In webswing.properties, be sure to change the shortname to the long hostname (FQDN) and needs to be same match as what was entered as 'SAN' in the cert. Also be sure the connecting port is correct according to the webtomcat's $SPECROOT/webtomcat/conf/server.xml file:
In webswing-admin.properties, make the same change for these lines:
At the bottom of the file also make sure full path to the keystore is added:
Edit $SPECROOT/webtomcat/webswing/webswing.config
Update the adminConsoleUrl to contain the FQDN
#4. Restart tomcat & webtomcat services and test login to webapp
NOTE: If your organization is not using DNS or FQDN of the servers due to security policy, you can also use 'IP' address in the
webswing.properties and webswing-admin.properties files. As long as the IP matches the same entry in the SAN in the
cert, webswing should auth the connection and allow access to webtomcat.
NOTE: While the above mentions using self-signed cert, this is also still a requirement for any CA-Authority signed certs - be sure to have SAN information added to your CA-signed certs as well.
Additional Information
Please see the section 'SSL Config for WebApp" for more details:
NOTE : The validity of certificate is only for 90days, you can change the validity while generating self-signed certificate (-validity 360) it can be added anywhere as an individual parameter.
Example:
keytool -genkey -alias tomcatssl -keyalg RSA -keystore $SPECROOT/custom/keystore/cacerts -ext "SAN=IP:xxx.xxx.xxx.xxx,DNS:myserver.mydomain.com" -validity 360
Feedback
