Description:

ISSUE
NPC/RA reports are missing graphs when printed or emailed as PDF (SSL implementation).

DETAILS
In a SSL implementation the NPC/RA report printouts and email PDFs are missing graphs. The reports show all info beside the graphswhich are just blank and have a little red cross in the upper left corner. Next to the Browser URL it says "certificate error".

Solution:

1. Make sure everything is configured as described in the SSL guides.
   
   How to Install and configure SSL on ReporterAnalyzer and NPC (Win2003).docx
   
   How to Install and configure SSL on ReporterAnalyzer and NPC (Win2008).docx
   
   You can find them under this location: https://ftp.broadcom.com/user/downloads/pub/netqos/products/NPC/SSL_install_guide/
   
   If problem persists, follow up on the next items.
   
   
2. Verify that you don't have a bad certificate.
   1. If you have a Self-Signed certificate, create a new one on the server which needs to be accessed and verify if it works.
      
      
   2. If you have a 3rd party certificate, create a Self-Signed test certificate on the server which needs to be accessed and test if it works.
   
   
3. Important is, that the "issued to" field in the certificate always needs to match the URL name which is used to access the server.
   (e.g. if a customer is accessing his NPC from outside via FQDN "netqos-NPC.scc.com", they need to issue their NPC 3rd party cert to "netqos-NPC.scc.com")
   
   If you use the "NPC hostname" or "RA hostname" in the URL to access the servers, you can use a self-signed certificate issued to those hostnames.
   Report prints and email PDFs will only work with a hostname in the URL (not with the IP address).
   
   If RA and NPC are on different servers, you need 2 different Self-Signed/3rd party certificates issued to the respective hostname/FQDN. Also pay attention to where the links inside NPC, which connect to RA are pointing to. (e.g. if they point to a FQDN like "netqos-RA.scc.com", you will need the RA certificate issued to this FQDN)
   
   
4. It works on the server itself but not on external hosts? Are NAT hostnames used in the environment?
   
   If so, update the NPC's and RA's HOSTS file with:
   
   <IP-Address of local machine> <original-host-name> <Natted-Hostname>
   
   
5. Please be aware that, if a 3rd party certificate is used and the RA server doesn't have internet access, a "Windows certificate server" is needed as authority in the network.
   
   
6. If the above steps made printing from NPC possible but still not directly from the RA, as final solution an apache reverse proxy can be configured over SSL with backend http on the RA. It's an Apache instance in front of IIS. Find the steps to configure the Apache HTTPS to HTTP Proxy here:
   
   https://ftp.broadcom.com/user/downloads/pub/netqos/products/NPC/SSL_install_guide/Apache-proxy-WA-public.zip
   
   Please check the readme.txt in the zip file.

Important: RA/NPC sync works only with http after using this solution.

If customers need help to implement this solution, they need to engage CA Services. Apart from the reverse proxy itself, this can be considered as fully supported. If necessary, the reverse proxy can be deactivated for RA troubleshooting.