APM Command Center certificate problems in browser - despite keystore being setup.

Document ID : KB000044716
Last Modified Date : 14/02/2018
Show Technical Document Details

 Issue:

 When trying to import a security certificate into APM Command Center, it is shown as invalid in the Command Center browser interface. The same certificate works for APM's Enterprise Manager webview on the same server.

 

 Environment

 APM Command Center 10.x

 Cause 

 The used keystore contains multiple keypairs that can be used to configure Jetty - each having its own alias. If no alias is explicitly set, the keymanager will pick the first alias that matches some internal criteria. The order which the keys are stored in the keystore is not always preserved. 

 

 Resolution:

 To fix this, the alias of the desired keypair must be identified, and added to the ACC config file. This can be found by using a tool such as keystore-explorer, or examining the contents of a keystore with the command:

 keytool -list -v -keystore /folder_where_keystore_is_located/name_of_keystore.keystore 

 This will output the contents of the keystore - look for the proper entry and note the value of "Alias name"

 For example - here is the top section of a default APM keystore when using that command with the default.keystore that ships with the EM:

 Alias name: wily

 Creation date: Feb 28, 2008

 Entry type: PrivateKeyEntry

 Certificate chain length: 1

 Certificate[1]:

 Owner: CN=www.wilytech.com, OU=Wily Technology, O=CA, L=San Fransisco, ST=CA, C=US

 Issuer: CN=www.wilytech.com, OU=Wily Technology, O=CA, L=San Fransisco, ST=CA, C=US

 Serial number: 

 Valid from: Thu Feb 28 17:07:53 EST 2008 until: Sun Jul 15 18:07:53 EDT 2035

 ...

 In this example (above) the alias name would be wily.

 

 After identifying the proper alias, add the following entry to the ACC config file apmccsrv.properties and restart the ACC Server: 

 javax.net.ssl.alias=<alias of keypair>

 

 for example:

 javax.net.ssl.alias=wily