UPM Patch Download Error - peer not authenticated

Document ID : KB000047325
Last Modified Date : 14/02/2018
Show Technical Document Details


Download of some Patch Management (PM) Patches are in error.
In PM logs, error "peer not authenticated" appears. This problem occurs only for patches with files containing https in the url.
Example : 
In ITCM R14 following error appears in the logs <DSM Path>\PatchManagement\PMEngine*.log 
2016-09-22 09:47:45,728 [Dloader-2] ERROR [com.ca.pmengine.dlm] - Patch: FPA_23.0.0.162_x86.exe {2ea5a4f7-33fc-4f2d-a318-e93a6202a71d} failed  with exception detail: peer not authenticated


This problem occurs if Patch Management is downloading a file via a Web Gateway Security (like : McAfee Web Gateway (Webwasher)) and if the url of the file contains https.
The Web Gateway adds its certificate in the SSL message sent to the PM machine. As this certificate is not known, "CertificateServer Key Exchange" fails with error "Certificate Unknown".
In the wireshark logs generated on the UPM machine we could see this :


The solution is to add the Web Gateway certificate into the cacerts file of JRE used by ITCM tomcat.
1- Do a copy of file C:\Program Files (x86)\CA\SC\JRE\1.8.0_60\lib\security\cacerts as cacerts.ori
Remarks :
Adapt the path with the installation path of ITCM.
In ITCM 14, JRE version used is 1.8.0_60 but it may be change in future version.
2- Get an export file of the missing certificate.
Ask security team for an export of missing certificate.
If the certificate has already been imported in Windows it could be exported using mmc.
Follow the steps described in this Microsoft page in order to display the certificates in mmc :
Then certificate could be exported in a .cer file by right-clicking on it and choose All Tasks - Export... :
3- Execute this in a Command Prompt in order to import the missing certificate into JRE cacerts :
cd c:\Program Files (x86)\CA\SC\JRE\1.8.0_60\bin
keytool -import -alias aliasname -keystore ..\lib\security\cacerts -file certificate_file
The password for keystore is by default : changeit
4- Then restart tomcat & IIS :
Caf stop tomcat
Caf start tomcat