Highlighted
Respected Contributor.
Respected Contributor.
3911 views

SM-UCMDB SSL Integration Issue

Hi Experts,

 

I'm trying to integrate SM 9.31 with ucmdb 10.01 using SSL, but I'm getting an error as per the attachment log.

 

I have done the following Configuration:

 

Adapter : service manager 9.x

Host name: Server name

Port: 13443

Url override: https://servername:13443/SC62server/ws

Cerdential: username and passsword created in ucmdb same as falcon

 

The certificates are distributed in the followin locations

 

 

SM server:

Adding the Ucmdb certificate(.cer) and SM Certificate (.cer) signed by CA to trustedclients.jks

 

Probe server

Adding the Ucmdb certificate(.cer) and SM Certificate (.cer) signed by CA to HPProbetruststore.jks

 

UCMDB Server

Adding the SM Certificate (.cer) signed by CA to Server.truststore

 

Kindly advice

 

Thanks and Regards

 

Hani

 

 

Tags (1)
0 Likes
17 Replies
Highlighted
Respected Contributor.
Respected Contributor.

Hi Efsy,

 

Actually I'm using only the server Certificate signed by CA for all because as per the documents nowhere is mentioned that you have to use also the client certificate for integration.

 

In your case keep the the UCMDB probe configuration as it is. But for SM and UCMDB Server add the UCMDB probe Server Certificate instead of Client.

 

Please try it and keep me posted.

 

Thanks and Regards

 

Hani

0 Likes
Highlighted
Absent Member.
Absent Member.

I got mine to work.

 

My fix was to copy a cacerts file which contained the SM Server certificate into the Data Flow Probe's JRE security store (<Probe Install Directory>/bin/jre/lib/security/conf/cacerts). I used the one generated by the SM certificate batch jobs.

 

I decided to use client Certificates for the data flow probe because the integration had to access the SM application server directly in the same way that the webtier and windows client. I treated the Probe as another client that needed to be verified by SM and distributed certificates per the SM SSL guides (each client received a copy of the cacerts containing the server certificate and a keystore that included the SM client certificate). 

 

I also imported all of the SM certificates into the probe trust store for good measure, though in a client environment I was able to achieve the same results by just replacing the probe cacerts file. 

 

So my resulting setup:

 

SM:

SM Client ceriticates in the trustedclients.keystore - as per the SSL setup

UCMDB Probe Client certificates in trustedclients.keystore - effect unknown

 

Probe:

SM Client & Server certificates in hpprobetruststore.jks - resulted in bad certificate/invalid signature errors, but it was connecting

UCMDB Server certificates in hpprobetruststore.jks - mutual ssl with ucmdb

SM Client certificate in client.keystore - no noticable effect

CACerts with SM Server Certificates in /bin/jre/lib/security/ - managed to connect and integrate

 

UCMDB:

Probe Client Certificate - mutual ssl with Probe

 

I have yet to try the API actual state integration between UCMDB and SM, but this worked for me.

Highlighted
Respected Contributor.
Respected Contributor.

Hi Efsy,

 

I'm glad to hear that your problem has been solved.

I think your setup should be applied exactly the same to my environment but nowadays I'm too busy with other projects.

I think we can mark your result as the accepted solution but first let me test it.

Thanks for sharing your result with me.

 

Regards

 

Hani

0 Likes
Highlighted
Absent Member.
Absent Member.

To be specific, import the mycacert.pem generated by the SM server certificate batch file into the cacerts of the JRE in the Data Flow Probe responsible for the integration, not the native system cacerts found in the java keystore. The goal is to insert the root certificate used by SSL into the DFP's jre. In your case, try placing your signed CA certificate there first before inserting the other certificates into the keystores. 

 

I suspect that this may be the only thing you need to do, as I was able to achieve the same result in a client dev environment by just placing a modified cacerts file (that contained their own verified certs) into a data probe's JRE. Please let me know how this method works.

 

Good luck

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Where is the trustedclients.keystore file kept on the SM server?   The online doc says it is in the Java SDK directory but I don't find sdk only jre.

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.


In our case, the trustedclients.keystore is within the RUN directory.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.