NetWorker: i comandi authc hanno esito negativo con errore "unable to find valid certification path"

Summary: I comandi authc_config e authc_mgmt non riescono in NetWorker segnalando "unable to find valid certification path to requested target".

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

  • Il server NetWorker viene implementato in un sistema standalone (non in cluster).
  • Comandi di autenticazione di NetWorker (authc_config, authc_mgmt) ha esito negativo con il seguente errore segnalato:
[root@networker-mc bin]# authc_mgmt -u administrator -e find-all-users
Enter password: 
ERROR [main] (DefaultLogger.java:190) - Error executing command. Failure: I/O error on POST request for https://localhost:9090/auth-server/api/v1/sec/authenticate [localhost]: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

  • Questo problema si verifica indipendentemente dall'utilizzo dell'autenticazione Locale NetWorker o dell'autenticazione esterna (LDAP).

 

Cause

Si verifica una mancata corrispondenza nella firma dei certificati emcauthctomcat. Emcauthctomcat è configurato per impostazione predefinita durante l'implementazione di NetWorker. Questo certificato esiste in tre posizioni:

Linux:

  • /nsr/authc/conf/authc.keystore
  • /opt/nsr/authc-server/conf/authc.truststore
  • /opt/nre/java/latest/lib/security/cacerts

 

Windows:

  • C:\Programmi\EMC NetWorker\nsr\authc-server\tomcat\conf\authc.keystore
  • C:\Programmi\EMC NetWorker\nsr\authc-server\conf\authc.truststore
  • C:\Programmi\NRE\java\jre#.#.#_###\lib\security\cacerts

 

[root@networker-mc bin]# ./keytool -list -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit | grep -A1 emcauth 
emcauthctomcat, Oct 7, 2022, trustedCertEntry, 
Certificate fingerprint (SHA-256): 3B:18:1E:DF:39:ED:5B:4B:CF:9F:92:22:E8:D9:96:54:E0:21:A4:EB:06:D6:36:32:03:76:5E:CC:BA:B1:15:6B

[root@networker-mc bin]# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore  | grep -A1 emcauthctom 
Enter keystore password:  
emcauthctomcat, Oct 7, 2022, trustedCertEntry, 
Certificate fingerprint (SHA-256): 3B:18:1E:DF:39:ED:5B:4B:CF:9F:92:22:E8:D9:96:54:E0:21:A4:EB:06:D6:36:32:03:76:5E:CC:BA:B1:15:6B

[root@networker-mc bin]# ./keytool -list -keystore /nsr/authc/conf/authc.keystore | grep -A1 emcauthctomcat
Enter keystore password: 
emcauthctomcat, Jun 29, 2022, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 93:97:0D:ED:DF:B1:73:62:D0:E1:95:C9:EB:67:3E:EE:4D:2E:55:9F:D7:9D:5E:FD:CE:81:E3:88:23:8E:0C:C9

 

Resolution

Correggere la mancata corrispondenza del certificato.

  1. Creare una copia dei file dell'archivio chiavi esistenti:
    Linux:

    • /nsr/authc/conf/authc.keystore
    • /opt/nsr/authc-server/conf/authc.truststore
    • /opt/nre/java/latest/lib/security/cacerts

    Windows:

    • C:\Programmi\EMC NetWorker\nsr\authc-server\tomcat\conf\authc.keystore
    • C:\Programmi\EMC NetWorker\nsr\authc-server\conf\authc.truststore
    • C:\Programmi\NRE\java\jre#.#.#_###\lib\security\cacerts

     

    NOTA: Il file cacerts si trova nell'istanza JRE configurata di authc. I percorsi mostrati in precedenza si trovano quando è installato NetWorker Runtime Environment (NRE). Se è installato Oracle Java JRE, il file cacerts si trova nel percorso di installazione java in . \lib\security\cacerts.

  2. Sul server NetWorker, aprire un prompt dei comandi admin o root.

  3. Arrestare i servizi server NetWorker:
    Linux: nsr_shutdown
    Windows: net stop nsrd

  4. Modificare la directory in JRE \bin dir.

  5. Utilizzando la sintassi dei comandi seguente, eliminare i certificati emcauthctomcat dalle posizioni dell'archivio chiavi in cui viene osservata la mancata corrispondenza.

    Linux:
    ./keytool -delete -alias emcauthctomcat -keystore /path/to/keystore -storepass password

    Windows:
    keytool -delete -alias emcauthctomcat -keystore "C:\path\to\keystore" -storepass password

    NOTA: La password dell'archivio chiavi Java, indipendentemente dal fatto che NRE o Oracle jre, sia changeit. Il keystore authc è la password del keystore definita dall'utente impostata durante l'installazione guidata di NetWorker (Windows) o lo script /opt/nsr/authc-server/scripts/authc_configure.sh (Linux).

Esempio:

[root@networker-mc bin]# ./keytool -delete -alias emcauthctomcat -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit  

[root@networker-mc bin]# ./keytool -delete -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore
Enter keystore password:  
[root@networker-mc bin]#

 

  1. Il certificato emcauthctomcat predefinito deve esistere nella seguente posizione:
    Linux: /nsr/authc/conf/emcauthctomcat.cer
    Windows: C:\Programmi\EMC NetWorker\nsr\authc-server\tomcat\conf\emcauthctomcat.cer

  2. Importare il certificato emcauthctomcat predefinito nelle posizioni del keystore:
    Linux:
    ./keytool -import -alias emcauthctomcat -keystore /path/to/keystore -storepass password -file /nsr/authc/conf/emcauthctomcat.cer

    Windows:
    keytool -import -alias emcauthctomcat -keystore "C:\path\to\keystore" -storepass password -file "C:\Program Files\EMC NetWorker\nsr\authc-server\tomcat\conf\emcauthctomcat.cer"

Esempio:

[root@networker-mc bin]# ./keytool -import -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore  -file /nsr/authc/conf/emcauthctomcat.cer
Enter keystore password:  
Owner: CN=networker-mc.emclab.local, OU=NetWorker, O=DELL, L=Round Rock, ST=TX, C=US
Issuer: CN=networker-mc.emclab.local, OU=NetWorker, O=DELL, L=Round Rock, ST=TX, C=US
Serial number: bd1993a1
Valid from: Wed Jun 29 12:16:53 EDT 2022 until: Sun Jun 23 12:16:53 EDT 2047
Certificate fingerprints:
         SHA1: E8:7B:C8:DF:4D:24:57:C4:63:34:1F:E8:6D:AA:1F:84:79:61:92:26
         SHA256: 93:97:0D:ED:DF:B1:73:62:D0:E1:95:C9:EB:67:3E:EE:4D:2E:55:9F:D7:9D:5E:FD:CE:81:E3:88:23:8E:0C:C9
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 3072-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: localhost
  IPAddress: 127.0.0.1
  DNSName: networker-mc.emclab.local
]

Trust this certificate? [no]:  y
Certificate was added to keystore
[root@networker-mc bin]# ./keytool -import -alias emcauthctomcat -keystore /opt/nre/java/latest/lib/security/cacerts -file /nsr/authc/conf/emcauthctomcat.cer   
Enter keystore password:  
Certificate already exists in keystore under alias <emcnwuiserv>
Do you still want to add it? [no]:  y
Certificate was added to keystore

 

  1. Utilizzare il tasto keytool -list per confermare la corrispondenza delle firme emcauthctomcat in ciascuno dei keystore:
    Linux: ./keytool -list -keystore /path/to/keystore -storepass password | grep -A1 emcauth
    Windows: keytool -list -keystore "C:\path\to\keystore" -storepass password

  2. Avviare i servizi NetWorker:
    Linux: systemctl start networker
    Windows: net start nsrd

  3. Tentare di utilizzare un authc_config oppure authc_mgmt comando:
    authc_config -u Administrator -e find-all-users

Esempio:

[root@networker-mc bin]# authc_mgmt -u administrator -e find-all-users
Enter password: 
The query returns 2 records.
User Id User Name           
1000    administrator       
1001    svc_nmc_networker-mc

 

Affected Products

NetWorker

Products

NetWorker Family, NetWorker Series
Article Properties
Article Number: 000204050
Article Type: Solution
Last Modified: 30 Apr 2025
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.