(UCMDB Support Tip) - TLS connection issues betwen probe and server How to start
Nowadays, all communications a UCMDB probe and its server are better to be done over TLS for obvious security reasons. But how to start troubleshooting when such a TLS connection issue occurs?
1) Answer the questions:
1.1) Is my UCMDB server running in FIPS mode or not?
1.2) when establishing TLS connection, does it need client authentication as well, or just server authentication?
1.3) Are the certificates I used self-signed or generated by a Certification Authority?
1.4) is the connection between the probe and the server direct, or does it go through a proxy or a load balancer?
Once one has answered those questions, one can start changing some log settings, and look for extra information.
2) Using keytool utility that comes with java, list the content of the probe truststore and keystore that are located under hp\UCMDB\DataFlowProbe\conf\security folder on the probe side, and under hp\UCMDB\UCMDBServer\conf\security on the server side:
keytool -v -list -keystore <keystorename>
Example: keytool -v -list -keystore HPProbeTruststore.jks
3) set java log level for ssl to debug on the probe side:
3.1) edit the hp\UCMDB\DataFlowProbe\bin\WrapperGateway.conf file
3.2) add the line:
Example: wrapper.java.additional.41=-Djavax.net.debug=ssl (use a non already used number)
3.3) save and restart the probe.
if client authentication is required similar steps have to be performed on the server side:
3.4) edit the hp\UCMDB\UCMDBServer\bin\wrapper.conf file
3.5) add the line:
3.6) restart the UCMDB server
In the probe wrapperGateway.log (and in the server wrapper.log if set as well on the server side) file, one will then see debug information relative the SSL/TLS protocol.
One will be able to see what are the trusted certificates loaded, as well as what happens during the different phases of the secure connection setup. Often the additional debug information are clear enough to allow one to get a good feeling of the nature of the problem, and solve it.
And if not, you can simply open a support incident. Providing all those information (answers to the questions above, keytool outputs + probe - and if appropriate server - wrapper logs with SSL) in debug right away should help expedite the resolution.