Having a bad, corrupt, missing or expired (about to expire) 'bladelogic.keystore' or one that is not synced with all the other Application Server deployments can result in any of the errors listed below.  These can happen during login to the TSSA RCP Console or while using Infrastructure Management.

This Knowledge Article will cover how to create/generate a new certificate and the keystore file (bladelogic.keystore) and how to sync it with all other Application Server deployments.

ERROR EXAMPLES:

• Unable to get application server launcher status. reason: java.lang.securityexception: failed to establish session
• Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
• Caused by: java.security.UnrecoverableKeyException: Password verification failed
• Unable to login to the TSSA Application Server - Error: "Certificate not received Fatal error"
• Your session credential does not contain a usable Application Server URL. Cannot connect to "service:appsvc.bladelogic:blsess://<your appserver hostname or IP>:9841" - java.io.EOFException
• Problems reading or parsing keystore file: <path to keystore>/bladelogic.keystore
• Service rejected session request, please login again
• Unable to read Appserver information from launcher: <hostname>. Check to make sure this role is authorized to access this launcher.
• Please make sure the bladelogic.keystore file is consistent across all servers
• Unable to read information from launcher: <hostname>. Check to make sure that the bladelogic.keystore file is consistent across all application servers and launchers.
• Caused by: java.security.cert.CertPathValidatorException: Could not validate certificate: certificate expired on <timestamp>

To resolve any of the above issues or generate a new self-signed certificate should it be expiring soon, follow the steps below.

1. Stop all Application Server(s), Process Spawner (if used) and PXE (if used) services
NOTE:- Process spawner has been removed since TSSA 23.4

2. Generate a new self-signed certificate ('bladelogic.keystore')

• Make sure to move '<install_dir>\br\deployments\bladelogic.keystore' to a backup folder so it does not exist on the path.
• Skip this step if you only need to synchronize the keystore file between appservers in MAS (Multiple Application Server) environment
• Refer to the following doc page to find more details about generating keystore file using either blmkcert or keytool:
  Implementing private certificates in TrueSight Server Automation

3. Copy the newly generated keystore file (bladelogic.keystore) to the correct location ('<install dir>/NSH/br/deployments') on all appservers

4. Run the following blasadmin commands in an NSH Shell on each appserver host to check the current setting and update, where appropriate for all appserver deployments to use the new certificate as below example: (assuming the certificate file stays the same)

• blasadmin –a set appserver certpasswd <keystore_password>
• blasadmin –s _launcher set appserverlauncher keystorepassword <keystore_password>

5. Start the Application Server service

To verify everything went correctly:

1. Open the TSSA RCP Console and in the ‘options’ menu select the certificates tab.  Delete any certificates for your Application Server(s).
2. Attempt to login to each of Application Server(s), where the new 'bladelogic.keystore' was used
3. The console should prompt to accept a new certificate.  Accept it.
4. After connecting, go to ‘File >> Reconnect’ in the console and look at the 'options' > Certificates tab again.  Inspect the certificate from this appserver and confirm the new expiration date.