Question

IFS Apps 10 on prem - Certificate verification failed

  • 12 November 2022
  • 5 replies
  • 949 views
C
Rank
Badge +4
  • cgo
  • Do Gooder (Customer)
  • 6 replies

Hello IFS Community,

After an IFS delivery our http server node cant be started due to:

D:\ifs\INSTANCENAME\wls_domain\INSTANCENAME\servers\HttpServer1\logs\HttpServer1.log

[2022-11-12T20:44:29.6552+01:00] [OHS] [ERROR:32] [OH99999] [ossl] [host_id: mws-server-name] [host_addr: ip-address] [pid: 12140] [tid: 1096] [user: IFS-Service] [VirtualHost: mws-server-name:48081] OHS:2057 Init: (mws-server-name:48081) Unable to initialize SSL environment, nzos call nzosSetCredential returned 28791
[2022-11-12T20:44:29.6552+01:00] [OHS] [ERROR:32] [OH99999] [ossl] [host_id: mws-server-name] [host_addr: 10.110.0.72] [pid: 12140] [tid: 1096] [user: IFS-Service] [VirtualHost: mws-server-name:48081] OHS:2171 NZ Library Error: Unknown error

We tried to perform a MWS reconfigure in order to re-import the valid SSL certificate, but we’re getting:

 

There a few similar issues in the knowledge db, but none applies 100 % to our situation:

 

Question: What is the trust anchor in this context?

Is it the  java cacert storage? 

If yes, which one:

D:\ifs\INSTANCENAME\java\jre\lib\security
D:\ifs\INSTANCENAME\instance\INSTANCENAME\security
D:\ifs\INSTANCENAME\instance\INSTANCENAME\security\ohs

etc.

….

We’ve imported the certifcate chain e.g into D:\ifs\extINSTANCENAME\java\jre\lib\security\cacerts, but it didn’t change the situation.

5 replies

S
Rank
Userlevel 7
Badge +21

Hi @cgo ,

if the installer is still complaining about the trust anchor even when you use the PKCS12 certificate with full path chain, it’s quite likely that VM you are running on is not able to validate the Root CA or the intermediate CA in the path chain for some reason (may be one of those expired?). You will be able to rule out obvious issues related to the CA certs by going in the certificates mmc and having a look at the certificate status for those. 

Cheers

C
Rank
Badge +4

Hi Sajith,

In MMC → local machine:

  • Root is in “Trusted Root Certifciation Authorities”.
  • ICA in “Intermediate Certifciation Authorities” (info, the most current ica was missing there for some reason). Last we week the http node was running though.
  • Server/Wildcard in “Personal”

Certificates have been re-imported to local machine as local admin & mws rebooted, but so far we’re having the same result.

But from IFS perspective the Trust Anchor = windows certificate storage?

Thats already an important info, thank you.

Charith Epitawatta
Rank
Userlevel 7
Badge +31

Hi @cgo,

Please refer to the following KBA and create a certificate containing the full chain of trust and see if the issue persists:

Hope this helps!

Charith - https://charith.xyz
C
Rank
Badge +4

Hi Charith,

I can’t check the KBA, but the issue has been resolved. The trust anchor is not the windows certmgr, but the cacerts, which will get updated, when the certificate is being imported through a mws reconfigure.

The resolution was to have the certificate chain manually created in this form:

 

-----BEGIN CERTIFICATE-----
SERVER Certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
INTERMEDIATE Certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
ROOT Certificate

-----END CERTIFICATE----

 

After that the private key was added and then converted from CER to PFX.

 

Charith Epitawatta
Rank
Userlevel 7
Badge +31

Hi @cgo,

Glad to know the issue is resolved! The KBA is providing the same steps to create a single PFX file by combining all the certificates and the private key using OpenSSL. I will ask the moderators to make the KBA publicly accessible. 

Charith - https://charith.xyz

Reply


Terms & ConditionsCookie settings