000032124 - Error message "Authentication Failed" while adding Workflow to application in RSA Archer 6.0

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000032124
Applies ToRSA Product Set: Archer
RSA Version/Condition: 6.0
Platform: Windows
IssueImportant: This KB article applies specifically to Archer version 6.0 only because this is the only version of Archer that uses Java for Advanced Workflow.  This KB cannot be used to resolve similar issues with Archer Version 6.1 or newer, or any versions prior to 6.0.
While SSL is enabled, the following error is received when trying to add a workflow to an application:
2015-11-20 20:20:23,885 WARN [wp.utils.WpUtils] (default task-21) java.lang.RuntimeException: 
The server login was denied for the following reason: Authentication Failed for user 187

 
CauseWhen Archer 6.0 is configured to use SSL, the certificate chain for the HTTPS/SSL certificate used by IIS must exist in the Java Keystore.
If it is not, the Advanced Workflow will not work. This is because a trust relationship cannot be created between the API request and the Workpoint service.
 
Resolution

Configuring Java to use your Root CA Certificate with SSL in Archer 6.0


Summary:


When Archer 6.0 is configured to use SSL, your certificate chain for the HTTPS/SSL certificate used by IIS must exist in the Java Keystore. If it is not, the Advanced Workflow will not work.
This is because a trust relationship cannot be created between the API request and the Workpoint service.

Exporting the Certificate:


  • Open IIS Manager
  • Open "Server Certificates" in IIS Manager
User-added image
  • Double-click the Certificate that is currently in use for your Archer Site
User-added image
  • Certificate Path Tab
User-added image
For *EACH* Certificate listed in the certificate path
1. Click "View Certificate" if it isn't the currently open certificate
2. Details Tab
User-added image
3. Click "Copy to File..."
4. Select "No, do not export the private key"
User-added image
5. Select "DER encoded binary X.509 (.CER)
User-added image
6. Name the file after the certificate and save it to a location
User-added image
7. IMPORTANT: Repeat steps 1 through 6 for each certificate in the certificate path of the certificate that is currently being used by IIS for HTTPS/SSL.  This will result in either 1, or many .CER files. All of which need to be imported into the Java Keystore.
 
  • Download and install KeyStore Explorer on the web server.

NOTE: This is tool is a free open source tool and is not affiliated with RSA in any way.

 
  • Open KeyStore Explorer
NOTE: When you open this the first time, you may be required to install a Java extension.


User-added image

 
  • Inside of the KeyStore Explorer, clike “File” > “Open” and then navigate to the Java Keystore (“cacerts” is the name of the file and can be searched for if you cannot find the path.).
NOTE: In a default installation of Java, this file can be found in “C:/Program Files/Java/<Install Version>/lib/security/cacerts”.

 
  • You will be prompted to enter the password of the KeyStore. If this is the default KeyStore and the password has not been changed, the password will be “changeit”, without the quotes.
  • You should now see a list off each of the certificates that are currently included in the Java KeyStore.
User-added image

 
  • Go to Tools -> Import Trusted Certificate or click the red ribbon/certificate icon in the menu bar.
User-added image

 
  • A file browser will open. Navigate and open the certificate file that you created with exporting your Root certificate in step 12.
  • You may receive the following message. This is fine, just click okay and then you will manually accept the certificate trust.
User-added image

 
  • You will now see a window that looks similar to this. You will not need to change anything. Click “OK”.
User-added image

 
  • You will then receive the following message. Click Yes.
User-added image

 
  • You will then be given the option to set an alias for the cert. This will default to the name that is assigned in the windows CA store. Click OK.
 User-added image

  • After the certificate has imported successfully, you will get the following message. Click OK.
User-added image

 
IMPORTANT: Repeat the above importing process for each certificate that you exported from IIS above. You can have anywhere from 1 to many certificates to import.
  •  Click File -> Save.
Important: If you do not save, the import will not commit.

 User-added image

  • Close KeyStore Explorer.
  • Reset IIS.
  • Restart all Archer Services, confirming that the Workpoint components are deployed before testing Advanced Workflow from the front end.

Attachments

    Outcomes