Unable to launch ASAP UI over SSL

Document ID : KB000046890
Last Modified Date : 14/02/2018
Show Technical Document Details

Problem:

Unable to launch ASAP UI over SSL after following CA’s DocOps documentation guide lines.

https://docops.ca.com/ca-release-automation/6-1/en/installation/ca-release-automation-communications-security/secure-communications

We are getting an error that prevents the loading of ASAP after successfully launching the https://<server>:8443 and clicking the link for Automation Studio and launching the jnlp. First it prompts saying that it is not trusted. Then it fails with: 

 

Errors:

un.security.validator.ValidatorException: Extended key usage does not permit use for code signing
at sun.security.validator.EndEntityChecker.checkCodeSigning(Unknown Source)
at sun.security.validator.EndEntityChecker.check(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)

 

Environment:

CA Release Automation Server 6.1

 

Resolution:

1.      Required Certificate with below extensions

a.      ExtendedKeyUsages [ serverAuth & codeSigning ]

2.      Do not select KeyUsage = critical and ExtendedKeyUsage = serverAuth as this combination is not allowed to sign the code

 

Additional Information:

Making the keystore (custom-keystore.jks) with Server Auth and Code Signing

# cat CARA.crt CA-ROOT.cer >> all.cer (CARA.crt is a certificate with Serve Auth and code Signing extended key usage)

# openssl pkcs12 -export -name nolio -in all.cer -inkey CARA.key -out CARA.p12

 

# keytool -importkeystore -destkeystore conf/custom-keystore.jks -srckeystore CARA.p12 -srcstoretype pkcs12 -alias nolio

# keytool -importcert -alias nolio -file CARA.p12 -keystore conf/custom-truststore.jks -v -rfc

# keytool -exportcert -alias nolio -file nac.crt -keystore conf/custom-keystore.jks -v

# keytool -importcert -alias nolio -file nac.crt -keystore conf/custom-truststore.jks -v -rfc

# keytool -importcert -alias nolio -file nac.crt -keystore nolio.jks -v -rfc

# jar cvf custom-truststore.jar nolio.jks

# jarsigner -keystore conf/custom-keystore.jks -verbose -keypass {password} custom-truststore.jar nolio

Copy the file custom-truststore.jar, which we just created, to \webapps\nolio-app\apps\v2.0.0\lib\

[root@vulve02-I175699 conf]# cat security-customization.properties

ui.trustStorePassword=interOP@123

[root@vulve02-I175699 conf]#

Updated Server.XML with newly created keystore:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

compression="on"

compressionMinSize="102400"

compressableMimeType="application/x-java-serialized-object"

SSLEnabled="true"

maxThreads="150"

scheme="https"

secure="true"

clientAuth="false"

sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"

keyAlias="nolio"

keystoreFile="conf/custom-keystore.jks"

keystorePass="${keystorePass}"

maxSwallowSize="-1">

 

 

Open the RA_HOME\conf\catalina.properties file.

uncomment the following lines, and fill in the keystorePass property with the encrypted password that you generated.

org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.nolio.tomcat.utils.PropertyDecoder

keystorePass=<encrypted password>

 

>> Restart NAC service.

 

Verify Web UI Certificates Were Applied: