Error:"Error connecting to ServiceDesk Manager REST URL" when testing CA Service Desk (CA SDM) datasource in Unified Self-Service (USS) using SSL and a CA certificate

Document ID : KB000006813
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

The following error appears in the Unified Self-Service (USS) application when testing CA Service Desk datasource in Unified Self-Service using SSL and a CA certificate:

Error connecting to ServiceDesk Manager REST URL

In the Liferay logs, in debug mode, the following message appears:

WARN [ExternalSourceData:313] Error occurred while testing of the WADL: https://<hostname>:<SSL port>/caisd-rest/rest_access/?_wadl javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Environment:
Unified Self-Service (USS) 14.1Service Desk Manager (SDM) 14.1All Supported Operating Systems
Cause:

Not all certificates of the chain have been imported into JRE being used by Unified Self-Service

Resolution:

1.  Download the SSL certificates for the CA SDM website using a web browser.  Once you are on the CA SDM page,  click on the security padlock in the URL and select 'View Certificates'.

2.  Copy the certificate in BASE64 format to this directory on the USS server: C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security

3.  If the certificate is a vendor issued certificate, make sure to save all the certificates in the certificate chain in the same format.  Save them to different file names to make it easier to understand what certificate is in which file.

4.  On the USS server, open a command prompt and set your JAVA_HOME like below:

set JAVA_HOME="C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre"
set PATH=%JAVA_HOME%\bin;%PATH%

cd "C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\bin"

5.  Take a backup of this file: C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security\cacerts

6.  Import each certificate under a different alias by using the following command:

keytool -import -trustcacerts -alias server -file "C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security\server.cer" -keystore "C:\Program Files\CA\Self Service\OSOP\tomcat-7.0.40\jre\lib\security\cacerts" -storepass changeit

note: default password is 'changeit' for the cacerts keystore

7.  Repeat the above process to import all certificates in the certificate chain.  For each such requirement, a different alias is needed in Step#6.  For example:  alias root for RootCA certificate and alias intermediate for intermediate authority certificate.

8.  Once all certs are imported, restart USS Tomcat via Windows Services Control Panel

9.  Open a web browser and go to CA USS URL -> Administration -> Data sources

10.  Use appropriate HTTPS URL for the Base and REST items in the CA SDM datasource

Additional Information:

How to configure CA Unified Self Service (USS) to connect to HTTPS based Service Catalog/Service Desk

https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec1718265.html