Article Content
Article Number | 000033479 |
Applies To | RSA Product Set: Security Analytics RSA Product/Service Type: SA Core Appliance RSA Version/Condition: 10.5.x, 10.6.x Platform: CentOS O/S Version: 6 |
Issue | SA Server cannot connect to cms.netwitness.com over port 443. When clicking "Test Connection" in Live Account, the user gets "Test connection failed" error as below:![]() Live account credentials are verified via https://cms.netwitness.com, and cms.netwitness.com is also resolved to correct IP. Using curl command to test connection to cms.netwitness.com, curl error code 60 is thrown out - Peer certificate cannot be authenticated with known CA certificate. Below is sample curl command output: # curl -v https://<useraccount>:<password>@cms.netwitness.com:443 The curl command performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). It is possible to turn off curl's verification of the certificate, using the -k (or --insecure) option. |
Tasks | Customer certificate is used for SA and needs to be imported to /etc/pki/java/caerts for the connection to work. |
Resolution | 1. Connect to the SA Server via ssh and export the certificates using the openssl command: #openssl s_client -showcerts -connect cms.netwitness.com:443 2. Then extract content and save the intermediate and root CA into two files. Note: certificate is the copy of the section: -----BEGIN CERTIFICATE----- 3. Make a copy of current cacerts. #cp /etc/pki/java/cacerts /var/tmp 4. Imported these certificates into SA' cacerts #keytool -import -alias int-ca -file <intermediatefile> -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit #keytool -import -alias ca -file <rootcafile> -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit 5. Restarted the jettysrv #stop jettysrv #start jettysrv 6. Test LIVE connection again and confirm that it works. |