Absent Member.. zshupp Absent Member..
Absent Member..
720 views

Issues adding new ras servers to a central cluster upgraded from 10.22 (w/FIPS) to 10.51(w/FIPS)

Evening Everyone,

I could use some help. Im seeing some very strange issues after upgrading one of our site clusters from 10.22 to 10.51. I was able to add other oo servers with no issues but when i try to add new ras servers that werent in the cluster before im getting the below errors. I have tried with authentication on and off and get similar errors.

Is there an issue I should be aware of for upgrading 10.22? has anyone seen these issues before?

Errors with Authentication Turned on
Central Server.log
2016-08-15 20:04:28,803 [http-nio-8443-exec-2] (LdapAuthenticationProviderServiceImpl.java:182) ERROR - 
Couldn't authenticate with LDAP due to unknown reason. RAS Install.log 2016-08-15 19:49:29,919 [WARN ] unable to connect: sun.security.validator.ValidatorException: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target 2016-08-15 19:44:01,604 [INFO ] http connection test result: TestResult{httpStatus=401, message='
Unauthorized'} Error with Authentication turned off 2016-08-15 20:33:35,873 [ERROR] unable to connect to the Central org.springframework.web.client.ResourceAccessException: I/O error on HEAD request for
"https://<ServerName>:8444/oo":sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path
to requested target

When I had authentication turned on, I tried adding the central cert and thats when my error would change from a PKIX issues to unauthorized. I'm able to log into the central server im trying to connect to using the same credentials. We have SSL on but we added port 8444 with clientauth turned off so its just used for username and password.

 

Labels (2)
Tags (2)
0 Likes
2 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Issues adding new ras servers to a central cluster upgraded from 10.22 (w/FIPS) to 10.51(w/FIPS)

Hi,

For the new RAS server Are you able to proceed with the install or it will not let you pass the configuration screen? 

If you are able to proceed with the install don't threat about the failure to connect and register.  Install the RAS  as normal, perform the FIPS configuration on it and then restart the RAS. For OO central nodes you get no problems since you are already using the database.properties, encryption.properties and encryption_repository which are fips compliant and the rest of the job is only to make sure that the central node knows how to use them. For RAS however it will initially fail and after the fips configuration is applyed it should work.

Regards,

Vlad

0 Likes
Absent Member.. zshupp Absent Member..
Absent Member..

Re: Issues adding new ras servers to a central cluster upgraded from 10.22 (w/FIPS) to 10.51(w/FIPS)

so without authentication it does go through and it fails at registrying the new ras server. I didnt go through the fips part there, i can go back and see if that corrects the issues. One problem i have is we brought up a new cluster that is 10.51 and i was able to add new ras servers with no issues. Im only having issues with the cluster that we upgraded from 10.22, also after i wrote this i noticed the central clusters are having issues authenticating local user accounts. They will authenticate ad accounts.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.