Issues adding new ras servers to a central cluster upgraded from 10.22 (w/FIPS) to 10.51(w/FIPS)

Evening Everyone,

I could use some help. Im seeing some very strange issues after upgrading one of our site clusters from 10.22 to 10.51. I was able to add other oo servers with no issues but when i try to add new ras servers that werent in the cluster before im getting the below errors. I have tried with authentication on and off and get similar errors.

Is there an issue I should be aware of for upgrading 10.22? has anyone seen these issues before?

Errors with Authentication Turned on
Central Server.log
2016-08-15 20:04:28,803 [http-nio-8443-exec-2] ( ERROR - 
Couldn't authenticate with LDAP due to unknown reason. RAS Install.log 2016-08-15 19:49:29,919 [WARN ] unable to connect: PKIX path
building failed: unable to find valid
certification path to requested target 2016-08-15 19:44:01,604 [INFO ] http connection test result: TestResult{httpStatus=401, message='
Unauthorized'} Error with Authentication turned off 2016-08-15 20:33:35,873 [ERROR] unable to connect to the Central org.springframework.web.client.ResourceAccessException: I/O error on HEAD request for
"https://<ServerName>:8444/oo" PKIX path building
failed: unable to find valid
certification path to requested target; nested exception is PKIX path building failed: unable to find valid certification path
to requested target

When I had authentication turned on, I tried adding the central cert and thats when my error would change from a PKIX issues to unauthorized. I'm able to log into the central server im trying to connect to using the same credentials. We have SSL on but we added port 8444 with clientauth turned off so its just used for username and password.


  • Hi,

    For the new RAS server Are you able to proceed with the install or it will not let you pass the configuration screen? 

    If you are able to proceed with the install don't threat about the failure to connect and register.  Install the RAS  as normal, perform the FIPS configuration on it and then restart the RAS. For OO central nodes you get no problems since you are already using the, and encryption_repository which are fips compliant and the rest of the job is only to make sure that the central node knows how to use them. For RAS however it will initially fail and after the fips configuration is applyed it should work.



  • so without authentication it does go through and it fails at registrying the new ras server. I didnt go through the fips part there, i can go back and see if that corrects the issues. One problem i have is we brought up a new cluster that is 10.51 and i was able to add new ras servers with no issues. Im only having issues with the cluster that we upgraded from 10.22, also after i wrote this i noticed the central clusters are having issues authenticating local user accounts. They will authenticate ad accounts.