UCMDB Local Client | Certificate validate failed

Hi all!

Please help identify the error why UCMDB Local Client does not start on some workstations.

Log:

2023-11-30 16:50:22,537  ERROR  [AWT-EventQueue-0]  Failed to connect to https:********************/ucmdb-ui/login_page.jspjava.security.cert.CertificateException: Certificate validate failed!

2023-11-30 16:51:02,479  ERROR  [SwingWorker-pool-2-thread-2] Please check environment settings.

java.lang.Exception: Please check environment settings.

  • 0  

    Hi Sergey,

    Did you check if the UCMDB Server certificate expires? You may open the UCMDB Server landing page in a web browser by accessing the URL: https://<UCMDB Server>:<port>/cms. From the web browser took, view the certificate details, in particular, the Validity dates. 

    If the certificate is still valid and you are using an OOTB certificate, please follow the instructions in the documentation to import the certificate to Local Client.

    https://docs.microfocus.com/doc/UCMDB/23.4/LogUcmdbDesktop#(Optional)_Export_and_import_the_OOTB_UCMDB_server_certificate_to_the_UCMDB_Local_Client_tool

    If it still does not work, please provide more details about the version, envs, what configuration changes are made before the error appears, etc.

    Thanks,

    Leslie

  • 0 in reply to   
    Certificate is fresh.

    >Did you check if the UCMDB Server certificate expires

    ver. 2021.05, he application configuration has not changed, the error occurs only on some workstations. (sometimes the error disappears on its own)

    >If it still does not work, please provide more details about the version, envs, what configuration changes are made before the error appears, etc.

    When I go to https:*******************/ucmdb-ui/login_page.jspjava.security.cert.CertificateException in the browser, an internal error occurs, but on my computer Local Client works stably.
  • 0   in reply to 

    Are there multiple UCMDB servers deployed and run in the env? Does all Local Client connect to the same UCMDB Server? Is there proxy between some Local Client and the UCMDB Server? I just wanted to throw some ideas to try identifying the root cause. 

  • Suggested Answer

    0   in reply to   

    From a system where Java is installed, you can check the certificate validity with this command:

    keytool -printcert -sslserver ftc06ucm08.swinfra.net:8443
    Certificate #0
    ====================================
    Owner: CN=Universal CMDB, OU=Configuration Management System, O=Configuration Management System, L=US, ST=US, C=US
    Issuer: CN=Configuration Management System ROOT CA, OU=Configuration Management System, O=Configuration Management System
    Serial number: 184672fff78
    Valid from: Tue Nov 01 09:55:09 CDT 2022 until: Mon Nov 08 08:55:09 CST 2032
    Certificate fingerprints:
    SHA1: 28:C0:73:3E:83:6A:D3:B2:3C:52:59:F2:F9:3B:7F:A2:89:21:FC:0A
    SHA256: FA:C9:11:7C:84:A2:8B:85:45:1A:E3:DF:58:CC:AD:D5:5A:CE:8E:4A:F4:0B:22:87:00:8F:90:6B:D5:50:A4:C8
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 3

    Extensions:

    #1: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
    serverAuth
    clientAuth
    ]

    #2: ObjectId: 2.5.29.15 Criticality=false
    KeyUsage [
    DigitalSignature
    Key_Encipherment
    Key_Agreement
    Key_CertSign
    ]

    #3: ObjectId: 2.5.29.17 Criticality=false
    SubjectAlternativeName [
    DNSName: ftc06ucm08.swinfra.net
    DNSName: ftc06ucm08
    DNSName: localhost
    IPAddress: 16.78.154.82
    IPAddress: 127.0.0.1
    ]


    Certificate #1
    ====================================
    Owner: CN=Configuration Management System ROOT CA, OU=Configuration Management System, O=Configuration Management System
    Issuer: CN=Configuration Management System ROOT CA, OU=Configuration Management System, O=Configuration Management System
    Serial number: 5e8e88be
    Valid from: Wed Apr 08 21:30:22 CDT 2020 until: Mon Apr 08 21:30:22 CDT 2030
    Certificate fingerprints:
    SHA1: DA:C6:A2:48:8F:E3:39:CD:FA:B4:28:10:67:28:12:C3:32:F7:4B:20
    SHA256: AB:61:22:B4:E0:1A:10:EA:F6:64:F9:26:BC:6F:19:6F:BF:15:4F:55:76:B6:51:F4:5F:79:53:76:D7:D2:AB:50
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 3

    Extensions:

    #1: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 0B A6 7F EF 3B 50 74 6A AA D7 A1 4D 8A A3 9B 35 ....;Ptj...M...5
    0010: E8 17 64 58 ..dX
    ]
    [CN=Configuration Management System ROOT CA, OU=Configuration Management System, O=Configuration Management System]
    SerialNumber: [ 5e8e88be]
    ]

    #2: ObjectId: 2.5.29.19 Criticality=true
    BasicConstraints:[
    CA:true
    PathLen:2147483647
    ]

    #3: ObjectId: 2.5.29.15 Criticality=true
    KeyUsage [
    DigitalSignature
    Key_CertSign
    Crl_Sign
    ]

    #4: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 0B A6 7F EF 3B 50 74 6A AA D7 A1 4D 8A A3 9B 35 ....;Ptj...M...5
    0010: E8 17 64 58 ..dX
    ]
    ]

    *IF* the certificate hasn't expired, you can import it into the client's system so it is trusted.  OpenText Documentation Portal (microfocus.com)

    -- Hope this helps!

    Keith Paschal

    UCMDB Worldwide Support Lead