|Issue||Important: This KB article applies specifically to Archer version 6.0 only because this is the only version of Archer that uses Java for Advanced Workflow. This KB cannot be used to resolve similar issues with Archer Version 6.1 or newer, or any versions prior to 6.0.|
While SSL is enabled, the following error is received when trying to add a workflow to an application:
2015-11-20 20:20:23,885 WARN [wp.utils.WpUtils] (default task-21) java.lang.RuntimeException:
The server login was denied for the following reason: Authentication Failed for user 187
Configuring Java to use your Root CA Certificate with SSL in Archer 6.0
When Archer 6.0 is configured to use SSL, your certificate chain for the HTTPS/SSL certificate used by IIS must exist in the Java Keystore. If it is not, the Advanced Workflow will not work.
This is because a trust relationship cannot be created between the API request and the Workpoint service.
Exporting the Certificate:
- Open IIS Manager
- Open "Server Certificates" in IIS Manager
- Double-click the Certificate that is currently in use for your Archer Site
For *EACH* Certificate listed in the certificate path
- Click "View Certificate" if it isn't the currently open certificate.
- Details Tab.
- Click "Copy to File...".
- Select "No, do not export the private key".
- Select "DER encoded binary X.509 (.CER).
- Name the file after the certificate and save it to a location.
- IMPORTANT: Repeat steps 1 through 6 for each certificate in the certificate path of the certificate that is currently being used by IIS for HTTPS/SSL. This will result in either 1, or many.CER files. All of which need to be imported into the Java Keystore.
- Download and install KeyStore Explorer on the web server.
NOTE: This tool is a free open source tool and is not affiliated with RSA in any way.
NOTE: When you open this the first time, you may be required to install a Java extension.
- Inside of the KeyStore Explorer, click “File” > “Open” and then navigate to the Java Keystore (“cacerts” is the name of the file and can be searched for if you cannot find the path.).
NOTE: In a default installation of Java, this file can be found in “C:/Program Files/Java/<Install Version>/lib/security/cacerts”.
- You will be prompted to enter the password of the KeyStore. If this is the default KeyStore and the password has not been changed, the password will be “changeit”, without the quotes.
- You should now see a list of each of the certificates that are currently included in the Java KeyStore.
- Go to Tools -> Import Trusted Certificate or click the red ribbon/certificate icon in the menu bar.
- A file browser will open. Navigate and open the certificate file that you created with exporting your Root certificate in step 12.
- You may receive the following message. This is fine, just click okay and then you will manually accept the certificate trust.
- You will now see a window that looks similar to this. You will not need to change anything. Click “OK”.
- You will then receive the following message. Click Yes.
- You will then be given the option to set an alias for the cert. This will default to the name that is assigned in the windows CA store. Click OK.
- After the certificate has imported successfully, you will get the following message. Click OK.
IMPORTANT: Repeat the above importing process for each certificate that you exported from IIS above. You can have anywhere from 1 to many certificates to import.
Important: If you do not save, the import will not commit.
- Restart all Archer Services, confirming that the Workpoint components are deployed before testing Advanced Workflow from the front end.