NetWorker:authc 命令失败,并显示“Unable to find valid certification path”
Summary: authc_config和authc_mgmt命令在 NetWorker 报告中失败,报告“unable to find valid certification path to requested target”。
Symptoms
- NetWorker 服务器部署在独立(非群集)系统上。
- NetWorker auth 命令(
authc_config、authc_mgmt) 失败并报告以下错误:
[root@networker-mc bin]# authc_mgmt -u administrator -e find-all-users Enter password: ERROR [main] (DefaultLogger.java:190) - Error executing command. Failure: I/O error on POST request for https://localhost:9090/auth-server/api/v1/sec/authenticate [localhost]: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 无论使用本地 NetWorker 身份验证还是外部 (LDAP) 身份验证,都会发生此问题。
Cause
emcauthctomcat 证书的签名不匹配。默认情况下,在 NetWorker 部署期间配置 emcauthctomcat。此证书存在于三个位置:
Linux:
- /nsr/authc/conf/authc.keystore
- /opt/nsr/authc-server/conf/authc.truststore
- /opt/nre/java/latest/lib/security/cacerts
Windows:
- C:\Program Files\EMC NetWorker\nsr\authc-server\tomcat\conf\authc.keystore
- C:\Program Files\EMC NetWorker\nsr\authc-server\conf\authc.truststore
- C:\Program Files\NRE\java\jre#.#.#_###\lib\security\cacerts
[root@networker-mc bin]# ./keytool -list -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit | grep -A1 emcauth emcauthctomcat, Oct 7, 2022, trustedCertEntry, Certificate fingerprint (SHA-256): 3B:18:1E:DF:39:ED:5B:4B:CF:9F:92:22:E8:D9:96:54:E0:21:A4:EB:06:D6:36:32:03:76:5E:CC:BA:B1:15:6B [root@networker-mc bin]# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore | grep -A1 emcauthctom Enter keystore password: emcauthctomcat, Oct 7, 2022, trustedCertEntry, Certificate fingerprint (SHA-256): 3B:18:1E:DF:39:ED:5B:4B:CF:9F:92:22:E8:D9:96:54:E0:21:A4:EB:06:D6:36:32:03:76:5E:CC:BA:B1:15:6B [root@networker-mc bin]# ./keytool -list -keystore /nsr/authc/conf/authc.keystore | grep -A1 emcauthctomcat Enter keystore password: emcauthctomcat, Jun 29, 2022, PrivateKeyEntry, Certificate fingerprint (SHA-256): 93:97:0D:ED:DF:B1:73:62:D0:E1:95:C9:EB:67:3E:EE:4D:2E:55:9F:D7:9D:5E:FD:CE:81:E3:88:23:8E:0C:C9
Resolution
更正证书不匹配。
-
创建现有密钥库文件的拷贝:
Linux:- /nsr/authc/conf/authc.keystore
- /opt/nsr/authc-server/conf/authc.truststore
- /opt/nre/java/latest/lib/security/cacerts
Windows:
- C:\Program Files\EMC NetWorker\nsr\authc-server\tomcat\conf\authc.keystore
- C:\Program Files\EMC NetWorker\nsr\authc-server\conf\authc.truststore
- C:\Program Files\NRE\java\jre#.#.#_###\lib\security\cacerts
提醒:cacerts 文件可在 authc 配置的 JRE 实例中找到。上面显示的路径是安装 NetWorker Runtime Environment (NRE) 时。如果安装了 Oracle Java JRE,则 cacerts 文件位于 .下的 java 安装路径中。\lib\security\cacerts。 -
在 NetWorker 服务器上,打开 admin 或 root 命令提示符。
-
停止 NetWorker 服务器服务:
Linux:nsr_shutdown
Windows:net stop nsrd -
将目录更改为 JRE \bin 目录。
-
使用以下命令语法,从观察到不匹配的密钥库位置删除 emcauthctomcat 证书。
Linux:
./keytool -delete -alias emcauthctomcat -keystore /path/to/keystore -storepass passwordWindows:
keytool -delete -alias emcauthctomcat -keystore "C:\path\to\keystore" -storepass password提醒:Java 密钥库密码(无论 NRE 还是 Oracle jre)是 changeit。authc 密钥库是使用 NetWorker 安装向导 (Windows) 或 /opt/nsr/authc-server/scripts/authc_configure.sh 脚本 (Linux) 时设置的用户定义的密钥库密码。
Example:
[root@networker-mc bin]# ./keytool -delete -alias emcauthctomcat -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit [root@networker-mc bin]# ./keytool -delete -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore Enter keystore password: [root@networker-mc bin]#
-
默认 emcauthctomcat 证书应存在于以下位置:
Linux:/nsr/authc/conf/emcauthctomcat.cer
Windows:C:\Program Files\EMC NetWorker\nsr\authc-server\tomcat\conf\emcauthctomcat.cer -
将默认 emcauthctomcat 证书导入密钥库位置:
Linux:./keytool -import -alias emcauthctomcat -keystore /path/to/keystore -storepass password -file /nsr/authc/conf/emcauthctomcat.cerWindows:
keytool -import -alias emcauthctomcat -keystore "C:\path\to\keystore" -storepass password -file "C:\Program Files\EMC NetWorker\nsr\authc-server\tomcat\conf\emcauthctomcat.cer"
Example:
[root@networker-mc bin]# ./keytool -import -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -file /nsr/authc/conf/emcauthctomcat.cer
Enter keystore password:
Owner: CN=networker-mc.emclab.local, OU=NetWorker, O=DELL, L=Round Rock, ST=TX, C=US
Issuer: CN=networker-mc.emclab.local, OU=NetWorker, O=DELL, L=Round Rock, ST=TX, C=US
Serial number: bd1993a1
Valid from: Wed Jun 29 12:16:53 EDT 2022 until: Sun Jun 23 12:16:53 EDT 2047
Certificate fingerprints:
SHA1: E8:7B:C8:DF:4D:24:57:C4:63:34:1F:E8:6D:AA:1F:84:79:61:92:26
SHA256: 93:97:0D:ED:DF:B1:73:62:D0:E1:95:C9:EB:67:3E:EE:4D:2E:55:9F:D7:9D:5E:FD:CE:81:E3:88:23:8E:0C:C9
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 3072-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: localhost
IPAddress: 127.0.0.1
DNSName: networker-mc.emclab.local
]
Trust this certificate? [no]: y
Certificate was added to keystore
[root@networker-mc bin]# ./keytool -import -alias emcauthctomcat -keystore /opt/nre/java/latest/lib/security/cacerts -file /nsr/authc/conf/emcauthctomcat.cer
Enter keystore password:
Certificate already exists in keystore under alias <emcnwuiserv>
Do you still want to add it? [no]: y
Certificate was added to keystore
-
使用
keytool -list命令以确认每个密钥库中的 emcauthctomcat 签名匹配:
Linux:./keytool -list -keystore /path/to/keystore -storepass password | grep -A1 emcauth
Windows:keytool -list -keystore "C:\path\to\keystore" -storepass password -
启动 NetWorker 服务:
Linux:systemctl start networker
Windows:net start nsrd -
尝试使用
authc_config或者authc_mgmt命令:authc_config -u Administrator -e find-all-users
Example:
[root@networker-mc bin]# authc_mgmt -u administrator -e find-all-users Enter password: The query returns 2 records. User Id User Name 1000 administrator 1001 svc_nmc_networker-mc