NetWorker: authc-opdrachten op geclusterde RHEL-server rapporteren "unable to find valid certification path to requested target".
Summary: NetWorker is geïnstalleerd op een RHEL/CentOS Linux cluster met hoge beschikbaarheid. Bij het uitvoeren van authc config-opdrachten (authc_config, authc_mgmt) retourneert de opdracht "unable to find valid certification path to requested target". ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
- De netWorker serverimplementatie is geconfigureerd op RHEL/CentOS 7.x of 8.x Linux-servers met behulp van clustering met hoge beschikbaarheid.
- authc_config - en authc_mgmt-opdrachten retourneren een certificaatpadfout:
root@NWrhelNodeF:~# pcs resource
* Resource Group: NW_group:
* fs (ocf::heartbeat:Filesystem): Started NWrhelNodeF.emclab.local
* ip (ocf::heartbeat:IPaddr): Started NWrhelNodeF.emclab.local
* nws (ocf::EMC_NetWorker:Server): Started NWrhelNodeF.emclab.local
root@NWrhelNodeF:~# authc_mgmt -u Administrator -p 'authc_password' -e find-all-users
ERROR [main] (DefaultLogger.java:222) - Error while performing Operation:
org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://localhost:9090/auth-server/api/v1/sec/authenticate": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- Nadat een failover van het knooppunt heeft plaatsgevonden, is er een mismatch tussen de certificaten in de gedeelde /nsr-locatie en de lokale /opt/nsr-locatie op het nieuwe actieve knooppunt:
root@NWrhelNodeF:~# cd /opt/nre/java/latest/bin
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr_share/nsr/authc/conf/authc.keystore -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Dec 19, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeF:/opt/nre/java/latest/bin#
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr/authc/conf/authc.keystore -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Dec 19, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeF:/opt/nre/java/latest/bin#
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Apr 13, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 1C:32:BF:11:70:93:4E:DF:F5:77:42:DA:98:E5:5A:AF:FC:BB:9A:C6:8D:40:54:6E:77:9D:E2:2F:7D:50:C0:CD
root@NWrhelNodeF:/opt/nre/java/latest/bin#
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore ../lib/security/cacerts -storepass changeit | grep -A1 emcauthctomcat
emcauthctomcat, Jan 31, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 1C:32:BF:11:70:93:4E:DF:F5:77:42:DA:98:E5:5A:AF:FC:BB:9A:C6:8D:40:54:6E:77:9D:E2:2F:7D:50:C0:CD
root@NWrhelNodeF:/opt/nre/java/latest/bin#
OPMERKING: Wanneer een knooppunt actief is/nsr symbolisch is gekoppeld aan het gedeelde pad (bijvoorbeeld: /nsr_share/nsr). Daarom komt het certificaat in de bovenstaande uitvoer overeen bij het vergelijken van de uitvoer van /nsr_share en /nsr. Dit pad wordt gedeeld tussen knooppunten; De paden /opt/nsr en /opt/nre (Java) zijn echter lokaal voor elk fysiek knooppunt. De certificaathandtekeningen tussen de certificaten 'shared' en 'local' komen niet overeen.
- Wanneer het andere knooppunt actief is, komen de certificaten tussen 'lokale' en 'gedeelde' paden overeen
root@NWrhelNodeE:~# pcs resource
* Resource Group: NW_group:
* fs (ocf::heartbeat:Filesystem): Started NWrhelNodeE.emclab.local
* ip (ocf::heartbeat:IPaddr): Started NWrhelNodeE.emclab.local
* nws (ocf::EMC_NetWorker:Server): Started NWrhelNodeE.emclab.local
root@NWrhelNodeE:~#
root@NWrhelNodeE:~# cd /opt/nre/java/latest/bin
root@NWrhelNodeE:/opt/nre/java/latest/bin#
root@NWrhelNodeE:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr_share/nsr/authc/conf/authc.keystore -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Dec 19, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeE:/opt/nre/java/latest/bin#
root@NWrhelNodeE:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr/authc/conf/authc.keystore -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Dec 19, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeE:/opt/nre/java/latest/bin#
root@NWrhelNodeE:/opt/nre/java/latest/bin# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Apr 13, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeE:/opt/nre/java/latest/bin#
root@NWrhelNodeE:/opt/nre/java/latest/bin# ./keytool -list -keystore ../lib/security/cacerts -storepass changeit | grep -A1 emcauthctomcat
emcauthctomcat, Apr 13, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
OPMERKING: Geef het wachtwoord voor de authc keystore op voor de waarde -storepass. Het wachtwoord voor de authc keystore wordt geconfigureerd tijdens de eerste installatie bij het uitvoeren van het script /opt/nsr/authc-server/scripts/authc_configure.sh op elk knooppunt.
- Op het knooppunt waar alle certificaten overeenkomen, wordt de fout van het certificaatpad niet waargenomen:
root@NWrhelNodeE:~# authc_mgmt -u Administrator -p 'authc_password' -e find-all-users The query returns 1 records. User Id User Name 1000 administrator
Cause
Voordat NetWorker-servers aan het cluster worden toegevoegd met behulp van /usr/sbin/networker.cluster, worden ze geconfigureerd als zelfstandige servers. /opt/nsr/authc-server/scripts/authc_configure.sh wordt uitgevoerd na de installatie, waarbij unieke certificaten per knooppunt worden gegenereerd. De certificaten die worden gebruikt op de gedeelde locatie komen overeen vanaf welk knooppunt het actieve knooppunt was, waar de geclusterde netwerkbron in eerste instantie is gestart.
De /nsr-directory is symbolisch gekoppeld aan de map /nsr_share/nsr die wordt verplaatst tussen knooppunten, afhankelijk van welk knooppunt het huidige actieve knooppunt is. De /opt/nsr/authc-server/conf/authc.truststore is lokaal voor elk knooppunt en wordt niet gedeeld wanneer een failover plaatsvindt. Na een failover van een knooppunt worden de /nsr/authc/conf/authc.keystore emcauthc-certificaathandtekeningen gecombineerd met de /opt/nsr.. certificaten op het initiële knooppunt, maar niet het huidige actieve knooppunt.
Resolution
Oplossing:
Dit probleem is opgelost in de volgende NetWorker versies:- 19.8.0.4
- 19.9.0.2
Upgrade naar een van de vermelde NetWorker versies (of hoger). NetWorker-pakketten kunnen worden gedownload van: https://www.dell.com/support/home/product-support/product/networker/drivers
OPMERKING: Nadat NetWorker is geüpgraded en de geclusterde netwerkbron is opgestart, moet u /opt/nsr/authc-server/scripts/authc_configure.sh opnieuw uitvoeren op het knooppunt waar de certificaatfout werd waargenomen. Hiermee wordt de niet-overeenkomende fout gecorrigeerd.
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr_share/nsr/authc/conf/authc.keystore -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Aug 31, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 2A:10:32:F4:09:13:8E:26:2C:11:63:DE:42:EF:AB:75:EF:29:6D:11:82:75:32:B6:27:71:96:FF:9D:A4:53:48
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr/authc/conf/authc.keystore -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Aug 31, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 2A:10:32:F4:09:13:8E:26:2C:11:63:DE:42:EF:AB:75:EF:29:6D:11:82:75:32:B6:27:71:96:FF:9D:A4:53:48
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Oct 20, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 43:80:AC:4A:78:BC:CA:5A:9F:DB:DF:04:30:B3:D1:41:F4:78:31:F8:0E:93:06:5F:F7:D6:A0:5F:E3:86:6B:AA
root@lnx-node1:/opt/nre/java/latest/bin# /opt/nsr/authc-server/scripts/authc_configure.sh
Specify the directory where the Java Standard Edition Runtime Environment (JRE) software is installed [/opt/nre/java/latest]:
The installation process will install an Apache Tomcat instance.
For optimum security, EMC NetWorker Authentication Service will
use a non-root user (nsrtomcat) to start the Apache Tomcat instance.
If your system has special user security requirements, ensure that proper
operational permissions are granted to this non-root user (nsrtomcat).
Please refer to NetWorker Installation Guide.
WARNING: Port 9090 is already in use.
Do you wish to specify a different port number [y]? n
The Apache Tomcat will use "lnx-node1.amer.lan" as the host name.
The Apache Tomcat will use "9090" as the port number.
The NetWorker Authentication Service requires a keystore file to configure encryption and to provide SSL support.
EMC recommends that you specify a keystore password that has a minimum of six characters.
Do you want to use the existing keystore /nsr/authc/conf/authc.keystore [y]?
Specify password for the existing keystore:
The install will use the existing certificate "emcauthctomcat" for Apache Tomcat.
The install will use the existing certificate "emcauthcsaml" for Authentication Service.
The NetWorker Authentication Service defines automatically an administrator user account
named administrator in the NetWorker Authentication Service local database.
This account is specific to the administration of the NetWorker Authentication Service, and
is not related to other administrator accounts on this system.
********************************************************************************************
Password criteria: Minimum required characters - 9 and Maximum allowed characters - 126
Minimum [alphabetic - 2, Uppercase - 1, Lowercase - 1, Numeric - 1, Special character - 1]
********************************************************************************************
Specify an initial password for administrator:
Confirm the password:
Creating the installation log in /opt/nsr/authc-server/logs/install.log.
Performing initialization. Please wait...
The installation completed successfully.
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr/authc/conf/authc.keystore -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Aug 31, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 2A:10:32:F4:09:13:8E:26:2C:11:63:DE:42:EF:AB:75:EF:29:6D:11:82:75:32:B6:27:71:96:FF:9D:A4:53:48
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Oct 20, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 2A:10:32:F4:09:13:8E:26:2C:11:63:DE:42:EF:AB:75:EF:29:6D:11:82:75:32:B6:27:71:96:FF:9D:A4:53:48
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr_share/nsr/authc/conf/authc.keystore -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Aug 31, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 2A:10:32:F4:09:13:8E:26:2C:11:63:DE:42:EF:AB:75:EF:29:6D:11:82:75:32:B6:27:71:96:FF:9D:A4:53:48
root@lnx-node1:~# authc_mgmt -u Administrator -e find-all-users
Enter password:
The query returns 1 records.
User Id User Name
1000 administrator
Tijdelijke oplossing:
1. Maak het knooppunt waar de certificaten overeenkomen met het actieve knooppunt in pc's. Voorbeelden van hoe u dit kunt bepalen, worden weergegeven in het veld Symptomen.
2. Meld u aan bij het passieve knooppunt (waar certificaten niet overeenkomen).
3. Gebruik de opdracht nsrssltrust om een certificaatbestand te maken op de virtuele clusterbron:
nsrssltrust -u https:// cluster-hostnaam:9090 -c certificate_file.cer
Voorbeeld:
root@NWrhelNodeF:~# nsrssltrust -u https://NWrhelClusD.emclab.local:9090 -c emcauthctomcat.cer
Fetching server's CA certificate chain / server certificate (if CA is not available)...
Information of the cert chain received from SSL server:
idx: 0
subject: /C=US/ST=TX/L=Round Rock/O=DELL/OU=NetWorker/CN=NWrhelNodeE.emclab.local
issuer: /C=US/ST=TX/L=Round Rock/O=DELL/OU=NetWorker/CN=NWrhelNodeE.emclab.local
Validity Not Before: Dec 19 17:03:27 2022 GMT
Validity Not After: Dec 13 17:03:27 2047 GMT
finger print sha1: 5d31f1a7bb4f3982f213235372503e3835c048e1
signing algorithm: 1020
Do you trust this certificate(s) entity based on above information? [yes]/[no]:
yes
Https certificate is saved into certfile [emcauthctomcat.cer].
4. Controleer of de handtekening van het gegenereerde certificaat overeenkomt met de handtekening van het gedeelde certificaat op het actieve knooppunt:
cd /opt/nre/java/latest/bin
/opt/nre/java/latest/bin/keytool -printcert -file certificate_file.cer | grep SHA256
Voorbeeld:
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -printcert -file /root/emcauthctomcat.cer | grep SHA256
SHA256: 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeE:/opt/nre/java/latest/bin# ./keytool -printcert -file /nsr_share/nsr/authc/conf/emcauthctomcat.cer | grep SHA256
SHA256: 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
5. Verwijder op het knooppunt met de niet-overeenkomende certificaten de lokale emcauthctomcat-certificaten uit het bestand authc.truststore en cacerts.
cd /opt/nre/java/latest/bin
./keytool -delete -alias emcauthctomcat -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit
./keytool -delete -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'authc-password'
OPMERKING: Als dit lukt, wordt er geen uitvoer geretourneerd.
6. Importeer het certificaat dat is gegenereerd met nsrssltrust:
cd /opt/nre/java/latest/bin
./keytool -import -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'authc-password' -file certificate_file.cer
./keytool -import -alias emcauthctomcat -keystore/opt/nre/java/latest/lib/security/cacerts-storepass changeit -file certificate_file.cer
Voorbeeld:
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -import -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'authc-password' -file /root/emcauthctomcat.cer
Owner: CN=NWrhelNodeE.emclab.local, OU=NetWorker, O=DELL, L=Round Rock, ST=TX, C=US
Issuer: CN=NWrhelNodeE.emclab.local, OU=NetWorker, O=DELL, L=Round Rock, ST=TX, C=US
Serial number: 6b0ed47e
Valid from: Mon Dec 19 12:03:27 EST 2022 until: Fri Dec 13 12:03:27 EST 2047
Certificate fingerprints:
SHA1: 5D:31:F1:A7:BB:4F:39:82:F2:13:23:53:72:50:3E:38:35:C0:48:E1
SHA256: 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 3072-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: localhost
IPAddress: 127.0.0.1
DNSName: NWrhelNodeE.emclab.local
]
Trust this certificate? [no]: yes
Certificate was added to keystore
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -import -alias emcauthctomcat -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit -file /root/emcauthctomcat.cer
Certificate already exists in keystore under alias <emcnwuiserv>
Do you still want to add it? [no]: yes
Certificate was added to keystore
Test:
Om te controleren of de certificaten nu geldig zijn, failover van het cluster op het knooppunt zijn de bovenstaande wijzigingen toegepast op:
1. De authc_mgmt - of authc_config-opdrachten zouden nu moeten werken op het knooppunt waarvoor ze eerder mislukte:
root@NWrhelNodeF:~# authc_mgmt -u Administrator -p 'NetWorker_Admin_password' -e find-all-users
The query returns 1 records.
User Id User Name
1000 administrator
2. Voor aanvullende verificatie kunnen we zien dat de certificaten overeenkomen van zowel lokale als gedeelde locaties:
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr_share/nsr/authc/conf/authc.keystore -storepass 'authc-password' | grep -A1 emcauthctomcat emcauthctomcat, Dec 19, 2022, PrivateKeyEntry, Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4 root@NWrhelNodeF:/opt/nre/java/latest/bin# root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr/authc/conf/authc.keystore -storepass 'authc-password' | grep -A1 emcauthctomcat emcauthctomcat, Dec 19, 2022, PrivateKeyEntry, Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4 root@NWrhelNodeF:/opt/nre/java/latest/bin# root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'authc-password' | grep -A1 emcauthctomcat emcauthctomcat, Apr 13, 2023, trustedCertEntry, Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4 root@NWrhelNodeF:/opt/nre/java/latest/bin# root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore ../lib/security/cacerts -storepass changeit | grep -A1 emcauthctomcat emcauthctomcat, Apr 13, 2023, trustedCertEntry, Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
Additional Information
Als de AUTHC/NMC-server een centraal zelfstandig NetWorker-systeem is, heeft dit probleem geen invloed op NetWorker Management Console (NMC), NetWorker Web User Interface (NWUI) of REST API-aanvragen.
Affected Products
NetWorkerProducts
NetWorker Family, NetWorker SeriesArticle Properties
Article Number: 000205383
Article Type: Solution
Last Modified: 24 Mar 2025
Version: 9
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.