OWB "Accept Certificate - Unknown certificate..." message (SSL)

book

Article ID: 55129

calendar_today

Updated On:

Products

Clarity PPM SaaS Clarity PPM On Premise

Issue/Introduction

A pop up box with message: "Accept Certificate - Unknown certificate; proceed?" is displayed when opening Open Workbench (OWB) in an Secure Sockets Layer (SSL) environment. We would like this process to be seamless and not display this window. Although the option to save is displayed, this doesn't seem to be saving the certificate for future use as the next time we open OWB, the same message is displayed.

Cause

The SSL certificate has not been installed on the local machine, and that it is not provided by a "commonly trusted root CA" (for example, a self-generated or internal company certificate, that Sun Java didn't install by default).
When you install Java (or IE, or any application that handles SSL) it installs a number of "root authority certificates" from companies like Verisign.

Any certificates for SSL servers that have these "trusted CA certificate" providers as a root will be accepted immediately. So if the SSL certificate on the system does not come from a 'normal' trusted root, the client machine you are running OWB from says "don't know who this.. can't trust it" and rejects it.

Environment

Release: All
Component: OPEN WORKBENCH (OWB)

SSL Enabled

Resolution

Install the certificate, then java will then recognize it. When you install an SSL certificate in Microsoft Internet Explorer (IE), you get a dialog box for doing this. However with java you must use the command line.

From IE:

  1. When you access the Clarity application on the SSL port with Microsoft Internet Explorer, you will see a dialog box that asks about the certificate.
  2. Click on View Certificate and go to the Details tab of the dialog box that pops up. Do not install the certificate using this dialog, since IE and Java do not use the same certificate stores.
  3. Instead, click on the Copy to File button. This only exports the "public" portions of the certificate to the file that is given to any client requesting a connection to the server. NO private portions of the certificate will be inadvertently delivered to the client this way.
  4. Use the defaults including format. Save to a file name such as "c:\test.cer" using the wizard.

From Command line:

  1. Run the following Sun Java "keytool" command. Change the path names as appropriate, but the command should look something like this:

    C:\<java>\bin\keytool -import -keystore C:\<java>\lib\security\cacerts -keyalg RSA -file c:\test.cer -trustcacerts
  2. You will be prompted for a keystore password. The default keystore password to use is: changeit

This procedure should work for "self signed" certificates. Please note you have to install this on every client machine and also note the security issues if user try to access application from outside.

Additional Information

  1. Make sure the Java_home environment variable is specified on the client machine.
  2. Make sure the bin folder for your java version is in the path.
  3. Make sure that only one version of Java is referenced in the path statement.

On Premise customers, to check port and URL information:

  1. Go to the CSA (PPM system administration) > Application tab.
  2. Out of the box, the CSA can be accessed via the URL: <ppm_server>:8090 by default.
  3. Once logged into the CSA > application page, find the Scheduler URL field and make the changes and save it.

See also: OWB/MSP certificate prompt