NetWorker:authc 命令失敗,並顯示「找不到有效的認證路徑」
Summary: Authc_config和authc_mgmt命令在 NetWorker 報告「找不到要求目標的有效認證路徑」時失敗。
Symptoms
- NetWorker 伺服器部署在獨立 (非叢集) 系統上。
- NetWorker auth 命令 ()
authc_config,authc_mgmt) 失敗並回報以下錯誤:
[root@networker-mc bin]# authc_mgmt -u administrator -e find-all-users Enter password: ERROR [main] (DefaultLogger.java:190) - Error executing command. Failure: I/O error on POST request for https://localhost:9090/auth-server/api/v1/sec/authenticate [localhost]: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 無論使用本機 NetWorker 驗證或外部 (LDAP) 驗證,都會發生此問題。
Cause
emcauthctomcat 憑證的簽名不相符。在 NetWorker 部署期間,emcauthctomcat 預設為設定。此憑證存在於三處:
Linux:
- /nsr/authc/conf/authc.keystore
- /opt/nsr/authc-server/conf/authc.truststore
- /opt/nre/java/latest/lib/security/cacerts
Windows:
- C:\Program Files\EMC NetWorker\nsr\authc-server\tomcat\conf\authc.keystore
- C:\Program Files\EMC NetWorker\nsr\authc-server\conf\authc.truststore
- C:\Program Files\NRE\java\jre#.#.#_###\lib\security\cacerts
[root@networker-mc bin]# ./keytool -list -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit | grep -A1 emcauth emcauthctomcat, Oct 7, 2022, trustedCertEntry, Certificate fingerprint (SHA-256): 3B:18:1E:DF:39:ED:5B:4B:CF:9F:92:22:E8:D9:96:54:E0:21:A4:EB:06:D6:36:32:03:76:5E:CC:BA:B1:15:6B [root@networker-mc bin]# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore | grep -A1 emcauthctom Enter keystore password: emcauthctomcat, Oct 7, 2022, trustedCertEntry, Certificate fingerprint (SHA-256): 3B:18:1E:DF:39:ED:5B:4B:CF:9F:92:22:E8:D9:96:54:E0:21:A4:EB:06:D6:36:32:03:76:5E:CC:BA:B1:15:6B [root@networker-mc bin]# ./keytool -list -keystore /nsr/authc/conf/authc.keystore | grep -A1 emcauthctomcat Enter keystore password: emcauthctomcat, Jun 29, 2022, PrivateKeyEntry, Certificate fingerprint (SHA-256): 93:97:0D:ED:DF:B1:73:62:D0:E1:95:C9:EB:67:3E:EE:4D:2E:55:9F:D7:9D:5E:FD:CE:81:E3:88:23:8E:0C:C9
Resolution
更正憑證不相符的情形。
-
建立現有 Keystore 檔案的複本:
Linux:- /nsr/authc/conf/authc.keystore
- /opt/nsr/authc-server/conf/authc.truststore
- /opt/nre/java/latest/lib/security/cacerts
Windows:
- C:\Program Files\EMC NetWorker\nsr\authc-server\tomcat\conf\authc.keystore
- C:\Program Files\EMC NetWorker\nsr\authc-server\conf\authc.truststore
- C:\Program Files\NRE\java\jre#.#.#_###\lib\security\cacerts
注意:cacerts 檔案位於 authc 設定的 JRE 實例中。上述路徑是安裝 NetWorker Runtime Environment (NRE) 時。如果已安裝 Oracle Java JRE,cacerts 檔案會位於 .. 下的 Java 安裝路徑中。\lib\security\cacerts。 -
在 NetWorker 伺服器上,開啟管理員或根命令提示字元。
-
停止 NetWorker 伺服器服務:
Linux:nsr_shutdown
Windows:net stop nsrd -
將目錄變更為 JRE \bin dir。
-
使用下列命令語法,從發現不相符的Keystore位置刪除emcauthctomcat憑證。
Linux:
./keytool -delete -alias emcauthctomcat -keystore /path/to/keystore -storepass passwordWindows:
keytool -delete -alias emcauthctomcat -keystore "C:\path\to\keystore" -storepass password注意:Java Keystore 密碼 (無論 NRE 或 Oracle jre) 正在 變更。使用 NetWorker 安裝精靈 (Windows) 或 /opt/nsr/authc-server/scripts/authc_configure.sh script (Linux) 時,authc Keystore 是使用者定義的 Keystore 密碼設定。
範例:
[root@networker-mc bin]# ./keytool -delete -alias emcauthctomcat -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit [root@networker-mc bin]# ./keytool -delete -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore Enter keystore password: [root@networker-mc bin]#
-
預設的 emcauthctomcat 憑證應存在於下列位置:
Linux:/nsr/authc/conf/emcauthctomcat.cer
Windows:C:\Program Files\EMC NetWorker\nsr\authc-server\tomcat\conf\emcauthctomcat.cer -
將預設的 emcauthctomcat 憑證匯入 Keystore 位置:
Linux:./keytool -import -alias emcauthctomcat -keystore /path/to/keystore -storepass password -file /nsr/authc/conf/emcauthctomcat.cerWindows:
keytool -import -alias emcauthctomcat -keystore "C:\path\to\keystore" -storepass password -file "C:\Program Files\EMC NetWorker\nsr\authc-server\tomcat\conf\emcauthctomcat.cer"
範例:
[root@networker-mc bin]# ./keytool -import -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -file /nsr/authc/conf/emcauthctomcat.cer
Enter keystore password:
Owner: CN=networker-mc.emclab.local, OU=NetWorker, O=DELL, L=Round Rock, ST=TX, C=US
Issuer: CN=networker-mc.emclab.local, OU=NetWorker, O=DELL, L=Round Rock, ST=TX, C=US
Serial number: bd1993a1
Valid from: Wed Jun 29 12:16:53 EDT 2022 until: Sun Jun 23 12:16:53 EDT 2047
Certificate fingerprints:
SHA1: E8:7B:C8:DF:4D:24:57:C4:63:34:1F:E8:6D:AA:1F:84:79:61:92:26
SHA256: 93:97:0D:ED:DF:B1:73:62:D0:E1:95:C9:EB:67:3E:EE:4D:2E:55:9F:D7:9D:5E:FD:CE:81:E3:88:23:8E:0C:C9
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 3072-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: localhost
IPAddress: 127.0.0.1
DNSName: networker-mc.emclab.local
]
Trust this certificate? [no]: y
Certificate was added to keystore
[root@networker-mc bin]# ./keytool -import -alias emcauthctomcat -keystore /opt/nre/java/latest/lib/security/cacerts -file /nsr/authc/conf/emcauthctomcat.cer
Enter keystore password:
Certificate already exists in keystore under alias <emcnwuiserv>
Do you still want to add it? [no]: y
Certificate was added to keystore
-
使用
keytool -list確認每個金鑰存放區中 emcauthctomcat 簽章相符的憑證的命令:
Linux:./keytool -list -keystore /path/to/keystore -storepass password | grep -A1 emcauth
Windows:keytool -list -keystore "C:\path\to\keystore" -storepass password -
啟動 NetWorker 服務:
Linux:systemctl start networker
Windows:net start nsrd -
嘗試使用
authc_config或authc_mgmt命令:authc_config -u Administrator -e find-all-users
範例:
[root@networker-mc bin]# authc_mgmt -u administrator -e find-all-users Enter password: The query returns 2 records. User Id User Name 1000 administrator 1001 svc_nmc_networker-mc