000033479 - RSA Security Analytics - LIVE Test Connection Failed - Certificate is signed by an untrusted issuer

Document created by RSA Customer Support Employee on Jul 6, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000033479
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS
O/S Version: 6
IssueSA Server cannot connect to cms.netwitness.com over port 443. When clicking "Test Connection" in Live Account, the user gets "Test connection failed" error as below:
Live account credentials are verified via https://cms.netwitness.com, and cms.netwitness.com is also resolved to correct IP.
Using curl command to test connection to cms.netwitness.com, curl error code 60 is thrown out - Peer certificate cannot be authenticated with known CA certificate. Below is sample curl command output:
# curl -v https://<useraccount>:<password>@cms.netwitness.com:443
* About to connect() to cms.netwitness.com port 443 (#0)
*   Trying connected
* Connected to cms.netwitness.com ( port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Certificate is signed by an untrusted issuer: 'E=trmis-trident@td.com,CN=TD Bank Group Internal Browsing,OU=TRMIS,O=TD Bank Group,L=Toronto,ST=Ontario,C=CA'
* NSS error -8172
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

The curl command performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might not match the domain name in the URL).
It is possible to turn off curl's verification of the certificate, using the -k (or --insecure) option.
TasksCustomer certificate is used for SA and needs to be imported to /etc/pki/java/caerts for the connection to work.
Resolution      1. Connect to the SA Server via ssh and export the certificates using the openssl command:
#openssl s_client -showcerts -connect cms.netwitness.com:443

      2. Then extract content and save the intermediate and root CA into two files.
Note: certificate is the copy of the section:


      3. Make a copy of current cacerts.
#cp /etc/pki/java/cacerts /var/tmp

      4. Imported these certificates into SA' cacerts
#keytool -import -alias int-ca -file <intermediatefile> -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit
#keytool -import -alias ca -file <rootcafile> -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit


      5. Restarted the jettysrv

#stop jettysrv
#start jettysrv

      6. Test LIVE connection again and confirm that it works.