Highlighted
Regular Contributor.. Regular Contributor..
Regular Contributor..
354 views

(UCMDB Support Tip) - TLS connection issues betwen probe and server How to start

Nowadays, all communications a UCMDB probe and its server are better to be done over TLS for obvious security reasons. But how to start troubleshooting when such a TLS connection issue occurs?

1) Answer the questions:

1.1) Is my UCMDB server running in FIPS mode or not?
1.2) when establishing TLS connection, does it need client authentication as well, or just server authentication?
1.3) Are the certificates I used self-signed or generated by a Certification Authority?
1.4) is the connection between the probe and the server direct, or does it go through a proxy or a load balancer?

Once one has answered those questions, one can start changing some log settings, and look for extra information.

2) Using keytool utility that comes with java, list the content of the probe truststore and keystore that are located under hp\UCMDB\DataFlowProbe\conf\security folder on the probe side, and under hp\UCMDB\UCMDBServer\conf\security on the server side:

keytool -v -list -keystore <keystorename>

Example: keytool -v -list -keystore HPProbeTruststore.jks

3) set java log level for ssl to debug on the probe side:

3.1) edit the hp\UCMDB\DataFlowProbe\bin\WrapperGateway.conf file
3.2) add the line:

wrapper.java.additional.<nb>=-Djavax.net.debug=ssl

Example: wrapper.java.additional.41=-Djavax.net.debug=ssl (use a non already used number)

3.3) save and restart the probe.

if client authentication is required similar steps have to be performed on the server side:

3.4) edit the hp\UCMDB\UCMDBServer\bin\wrapper.conf file
3.5) add the line:

wrapper.java.additional.<nb>=-Djavax.net.debug=ssl

Example: wrapper.java.additional.71=-Djavax.net.debug=ssl
3.6)  restart the UCMDB server


In the probe wrapperGateway.log (and in the server wrapper.log if set as well on the server side) file, one will then see debug information relative the SSL/TLS protocol.

One will be able to see what are the trusted certificates loaded, as well as what happens during the different phases of the secure connection setup. Often the additional debug information are clear enough to allow one to get a good feeling of the nature of the problem, and solve it.

And if not, you can simply open a support incident. Providing all those information (answers to the questions above, keytool outputs + probe - and if appropriate server - wrapper logs with SSL) in debug right away should help expedite the resolution.

Tags (1)
0 Likes
0 Replies
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.