• Bad certificate: missing signature: root/intermediate certificate not present, DNS/hosts entries are missing: Please, make sure you have at least hostname, fqdn in the dns entries, if you have an alias you should have aliashostname and aliasfqdn.
• Expired certificate
• When using wildcard certificates confirm it has all the san entries, i.e.
  • My company has the following domains: mycompany.dwp.com, mycompany.dwp.mx, mycompany.dwp.org, alter.mycompany.dwp.com.. dwp.mycompany.alternative.com,
  • Then multiple wildcard have to be declared when issuing a wildcard certificate: *.dwp.com, *.dwp.mx, *.dwp.org, *.mycompany.dwp.com, *.mycompany.alternative.com
• If the  DWP/DWPC Loadbalancer has a cert, make sure to import the same to DWP and DWP C Servers. That will also apply for RSSO, Midtier, SmartIT  loadbalancers.
• Server A cannot resolve dns entries from Server B or/and viceversa: This can be managed vi DNS Server or by adding entries under server's hosts file
• SSL port blocked
• If you have a DWP Catalog Cluster, make sure all the DNS entries are present in the DWPCatalog.jks/Keystore. Best practice would be creating the keystore as follows:

• Loadbalancer redirection issue
• Non root user trying to start a process on port 80/443 which can only be used by root users. Non root users cannot run applications on port 80/443. 
• Several steps from the below documentation were skipped. Make sure that the DWP Catalog .crt file is imported into the DWP Adv keystore, as mentioned here:

• In order to fix the PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target error on  the DWP Advanced - Enhanced Catalog  Section, do the following
  • NOTE: Had one case on which, even though the certs were right, VIP and LB balancer settings were off, and customer was still getting above errors when using DWP Catalog LB URL under DWP Admin Enhanced Catalog section. As a workaround, we had to use DWP C primary server URL instead.
• Get the cert from DWP Catalog by using Firefox

• If you have DWP Advanced Cluster, make sure all the server group nodes have the DWP Catalog Cert. Make sure you do the same on DWP, AR Server, SmartIT and RSSO servers.
• Import the certificate to the cacerts by using below commands

1. openssl x509 -outform der -in catalogcert.pem -out certificate.der
2. keytool -import -alias DWPCatalog -trustcacerts cacerts -file certificate.der

 Note: It can be java cacerts or a custom one

• Restart Applications Tomcat / AR server service
• Clear browser cache
•  Log into the DWP Admin Console.
• Go to the Enhanced Catalog section and update the DWP Catalog url with the right port and protocol.
  • Do the same from the DWP Advanced LB URL and from each node individually to confirm this works.
• Do the same on the AR Server's SB:RemoteApprovalConfiguration and Centralized Configuration com.bmc.itsm.sbe

• Click on Save
• Confirm that you are not getting the error anymore
•  If you get the error proceed with SSL Poke Troubleshooting section below

SSL POKE

• Download SSL poke and run it on DWP Advanced Server. SSL Poke is attached to this KA.

• On a cmd/terminal Windows Run:

• If Firewall allows and you have imported a good cert to DWP Server, you should get a message like "Connection was successful" 
• If it fails, it should give you the reason why this is not working. See below:
• SSL Port is blocked
• Certificate does not exist in the keystore/truststore. Check it exists by running

• Certificate chain/Root-intermediate cert is missing

• Server alias/dns entry for this catalog does not exist in the certificate

• Firwewall/Loabalancer settings need to be revisited
• Certificate is expired. Check validity

            keytool -list -v -alias <alias> -keystore <keystore> -storepass <passwd> alias mydomain | grep "Valid from:"

<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
    <Set name="KeyStorePath">/opt/bmc/digitalworkplace/certs/keystore</Set>
    <Set name="KeyManagerPassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
    <Set name="KeyStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
    <Set name="TrustStorePath">/opt/bmc/digitalworkplace/truststore/cacerts</Set>
    <Set name="TrustStorePassword">OBF:1v2j1uum1xtv1zej1zer1xtn1uvk1v1v</Set>
    <Set name="IncludeCipherSuites">

• Jetty-Port: 443
• Jetty-Protocol: HTTPS

           Jetty <DWPCatalogInstallDir>/sb/jetty/work/jersey.0.0.log should show the below entries

           cat jersey.0.0.log | grep -i ssl
 

        at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:426)
        at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:320)
        at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:158)

            <DWPCatalogInstallDir>/sb/rxscripts/trace.log will give you details too
 

./sb/rxscripts/trace.log:1:== Info: About to connect() to xxxxxx port 443 (#0)
./sb/rxscripts/trace.log:3:== Info: Connected to xxx (127.0.1.1) port 443 (#0)
./sb/rxscripts/trace.log:8:== Info:     subject: CN=cxxxx
./sb/rxscripts/trace.log:11:== Info:    common name: xxxxx
./sb/rxscripts/trace.log:12:== Info:    issuer: CN=xxxxx
./sb/rxscripts/trace.log:19:00e0: Host: xxxxxx
./sb/rxscripts/trace.log:58:== Info: Added cookie _cacheId="89" for domain xxxx, path /, expire 0

Additional logs can be checked too - for this you will need to add this option jvm.option.24=-Djavax.net.debug=ssl to /apps/dwpc/bin/arserverd.conf - this requires a dwpcontroller restart

• startup_console.log
• armonitor.log

Now, both servers should be able to communicate to each other with no issues.


For user group sync issues not working over SSL,
KA 000133376  DWP Catalog - User Group sync script doesn't work with SSL

For AD  over SSL issues
KA 000164451  DWP Catalog - Configuring AD Connector on DWP Catalog. Includes AD over SSL