BMC Helix IT Operations Management(ITOM) OnPrem: When launching Discovery from Helix Portal, error "This system is having technical difficulties with this page..." is reported

Knowledge Article

Article Number

000403434

Old Article Number

Article Type

Solutions to a Product Problem

Title

BMC Helix IT Operations Management(ITOM) OnPrem: When launching Discovery from Helix Portal, error "This system is having technical difficulties with this page..." is reported

Summary

Product

BMC Helix Operations Management OnPrem - Monitoring and Event Management

Component

BMC Helix Operations Management OnPrem Containers

Applies to

ITOM OnPrem all versions

Problem

When launching Discovery from Helix Portal, the error "This system is having technical difficulties with this page" is reported

This error can't be reproduced when using a local user in Discovery UI (https://<Discovery Appliance>/ui/LocalLogin/).

Cause

Solution

Root cause 1: Missing or incorrect "trusted CA" certificate in Discovery UI, Administration > Single Sign On

To confirm: If the errors below are in found in Discovery logs, the root cause is confirmed

tw_appserver.log:

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='<RSSO FQDN>', port=443): Max retries exceeded with url: /ims/api/v1/auth/rsso/tokens (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='RSSO server url', port=443): Max retries exceeded with url: /ims/api/v1/auth/rsso/tokens (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1002)')))

or tw_svc_security.log:

ims.imswrapper: INFO: Decoded JWT type: ACCESS_TOKEN
security.jwtauth: ERROR: Failed to connect to IMS: HTTPSConnectionPool(host='<RSSO FQDN>', port=443): Max retries exceeded with url: /ims/api/v1/auth/.well-known/jwks_uri/4f39d48a-190e-4543-a230-1130735fced1 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))

Solution:

Find the file custom_cacerts.pem mentioned in this page
Extract:

1. Copy the self-signed or custom CA certificate (full chain) in the commons/certs/ directory.
Ensure that the file name of the certificate is custom_cacert.pem

It is used with the deployment-manager.sh install script. Use this documentation to upload the file above as the trusted CA certificate.

Extract:

4. On the Web Authentication: Helix SSO page, scroll down to the Trusted CA section.
5. Click Choose file, upload the CA certificate, and then click Update CA Bundle.

Additional steps:

Click OK when warned about unpinning the current certificate

Click Pin Certificate.

Root cause 2: An ingress class "nginx" was added to a minion ingress but its IP address is missing.

To confirm:

In Discovery, enable the Discovery UI debug logs and reproduce the issue. If the error below is logged in tw_appserver.log, the root cause is probable. The HTTP 401 error below means "Unauthorized".

urllib3.connectionpool: DEBUG: https://ipaddress:443 "POST /ims/api/v1/auth/rsso/tokens HTTP/1.1" 401

If there are no matching traces in IMS logs, the root cause is confirmed. This means that IMS does not receive any of the REST api calls sent by Discovery.

Solution: Add the missing address in the minion ingress.

Attachment(s):