Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000033479 - RSA Security Analytics - LIVE Test Connection Failed - Certificate is signed by an untrusted issuer

Document created by RSA Customer Support

on Jul 6, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 5Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000033479
Applies To	RSA Product Set: Security Analytics RSA Product/Service Type: SA Core Appliance RSA Version/Condition: 10.5.x, 10.6.x Platform: CentOS O/S Version: 6
Issue	SA Server cannot connect to cms.netwitness.com over port 443. When clicking "Test Connection" in Live Account, the user gets "Test connection failed" error as below: Live account credentials are verified via https://cms.netwitness.com, and cms.netwitness.com is also resolved to correct IP. Using curl command to test connection to cms.netwitness.com, curl error code 60 is thrown out - Peer certificate cannot be authenticated with known CA certificate. Below is sample curl command output: # curl -v https://<useraccount>:<password>@cms.netwitness.com:443 * About to connect() to cms.netwitness.com port 443 (#0) * Trying 69.195.204.202... connected * Connected to cms.netwitness.com (69.195.204.202) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Certificate is signed by an untrusted issuer: 'E=trmis-trident@td.com,CN=TD Bank Group Internal Browsing,OU=TRMIS,O=TD Bank Group,L=Toronto,ST=Ontario,C=CA' * NSS error -8172 * Closing connection #0 * Peer certificate cannot be authenticated with known CA certificates curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html The curl command performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). It is possible to turn off curl's verification of the certificate, using the -k (or --insecure) option.
Tasks	Customer certificate is used for SA and needs to be imported to /etc/pki/java/caerts for the connection to work.
Resolution	1. Connect to the SA Server via ssh and export the certificates using the openssl command: #openssl s_client -showcerts -connect cms.netwitness.com:443 2. Then extract content and save the intermediate and root CA into two files. Note: certificate is the copy of the section: -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- 3. Make a copy of current cacerts. #cp /etc/pki/java/cacerts /var/tmp 4. Imported these certificates into SA' cacerts #keytool -import -alias int-ca -file <intermediatefile> -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit #keytool -import -alias ca -file <rootcafile> -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit 5. Restarted the jettysrv #stop jettysrv #start jettysrv 6. Test LIVE connection again and confirm that it works.

Attachments

Outcomes

0 Comments

Recommended Content