MCS CLI tools do not work with wasp https

Document ID : KB000095255
Last Modified Date : 11/05/2018
Show Technical Document Details
Issue:
In an attempt to secure our systems more we have enabled HTTPS and turned off HTTP, we now find that the mcs cli tools ie the JAR file do not work anymore. After executing the command to import profiles an error is returned:
 /opt/nimsoft/jre/jre8u102/bin/java -jar mcs-cli.jar profile-import -base_url https://<hostname>/mcsws/v0 -group UIM -file /opt/nimsoft/profiles/cdmsetup.xml -username administor -password <password>

2018-04-25 13:04:06 INFO [main] [com.nimsoft.selfservice.cli.handlers.ProfileImport] Failed to import profile. Error: Failed to get list of device groups.
Error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

When you open the URL in a browser, it is possible to connect to the page and return a list of all the groups, eg:https://<hostname>/mcsws/v0/groups
 
Environment:
Any UIM version on Linux
Cause:
In order to connect to the URL via the java command line tool, several prerequisites must be met: 
1) the certificate being used by the website (in this case the MCS webservices on the primary hub) must contain a Subject Alternative Name
2) the certificate must be present in the local cacerts keystore of the Java installation used by the MCS cli
Resolution:
With the default self-signed certificate that is being created by the wasp probe when you activate the https port, this will not work. 

You would either need to us a certificate signed by a public CA that has been created with a SAN (subject alternative name) or manually create a new self-signed certificate with a SAN.

1) You need to reset the password for the default keystore and create a new certificate  (base steps are described here
Our guide only contains the commands for a Windows environment, on a Linux environment the respective commands would be:
  • reset the keystore password via the call back
  •  /opt/nimsoft/jre/jre8u102/bin/keytool -list -keystore wasp.keystore (to list the content of the keystore)
  • /opt/nimsoft/jre/jre8u102/bin/keytool -delete -alias wasp -keystore wasp.keystore (to delete the existing certificate)
2) Now you need to create the new certificate and the csr as per the kb000016748 to include the SAN:
  • /opt/nimsoft/jre/jre8u102/bin/keytool -genkeypair -alias wasp -keyalg RSA -keysize 2048 -keystore wasp.keystore -dname "CN=<fqdn>, OU=<org>, O=CA, L=<town>, ST=<county>, C=<country>" -ext SAN=dns:<fqdn>,ip:11.222.333.444 -validity 365 
  • /opt/nimsoft/jre/jre8u102/bin/keytool -certreq -alias wasp -validity 365 -keystore wasp.keystore -file wasp.csr -ext SAN=dns:<fqdn>,ip:11.222.333.444
3) you then need to create a new certificate via openssl on your linux box, and here you also need to define the configuration file for openssl to allow for the extensions (such as SAN) 
  • create an OpenSSL config file following this example (the problem is OpenSSL cannot create a SAN via command line):
    • [req]
      distinguished_name = req_distinguished_name
      x509_extensions = v3_req
      prompt = no
      [req_distinguished_name]
      C = UK
      ST = Berkshire
      L = Datchet
      O = CA
      OU = Tech Support
      CN = ump.ca.com
      [v3_req]
      keyUsage = keyEncipherment, dataEncipherment
      extendedKeyUsage = serverAuth
      subjectAltName = @alt_names
      [alt_names]
      DNS.1 = ump.ca.com
      IP.1 = 11.222.333.444
  • /opt/nimsoft/jre/jre8u102/bin/keytool -importkeystore -srckeystore wasp.keystore -srcstorepass Nimsoft123 -srckeypass Nimsoft123 -destkeystore wasp.keystore.p12 -deststoretype PKCS12 -srcalias wasp -deststorepass Nimsoft123 -destkeypass Nimsoft123 (this creates a copy of the keystore to export the key file in the correct format)
  • /usr/bin/openssl pkcs12 -in wasp.keystore.p12 -passin pass:Nimsoft123 -nocerts -out wasp.key -passout pass:Nimsoft123 
  • /usr/bin/openssl req -x509 -sha256 -days 365 -key wasp.key -in wasp.csr -config /usr/bin/openssl.cnf -out wasp.cer
4) Import the certificate into the UMP keystore. Please be aware that the wasp probe should be deactivated at this moment.
  • /opt/nimsoft/jre/jre8u102/bin/keytool -import -trustcacerts -alias wasp -file wasp.cer -keystore wasp.keystore
5) And then you also need to import the certificate you are using in UMP into the cacerts keystore present in the Java install (/opt/nimsoft/jre/jre8u102/lib/security)  
  • /opt/nimsoft/jre/jre8u102/bin/keytool -import -trustcacerts -alias wasp -file /opt/nimsoft/probes/service/wasp/conf/wasp.cer -keystore cacerts
Once this has been set up, the mcs cli can connect to the wasp using https and run the commands successfully.