NetWorker: authc-kommandon på klustrade RHEL-serverrapporter "unable to find valid certification path to requested target."

Summary: NetWorker har installerats på ett RHEL-/CentOS Linux-kluster med High Availability. När du kör authc config-kommandon (authc_config, authc_mgmt) returneras kommandot "unable to find valid certification path to requested target". ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

  • NetWorker-serverdriftsättningen har konfigurerats på RHEL-/CentOS 7.x- eller 8.x Linux-servrar med kluster med hög tillgänglighet. 
  • authc_config - och authc_mgmt-kommandon returnerar ett fel med certifikatsökvägen:
root@NWrhelNodeF:~# pcs resource
  * Resource Group: NW_group:
    * fs        (ocf::heartbeat:Filesystem):     Started NWrhelNodeF.emclab.local
    * ip        (ocf::heartbeat:IPaddr):         Started NWrhelNodeF.emclab.local
    * nws       (ocf::EMC_NetWorker:Server):     Started NWrhelNodeF.emclab.local

root@NWrhelNodeF:~# authc_mgmt -u Administrator -p 'authc_password' -e find-all-users
ERROR [main] (DefaultLogger.java:222) - Error while performing Operation:
org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://localhost:9090/auth-server/api/v1/sec/authenticate": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • När en nod-failover inträffar finns det en felmatchning mellan certifikaten på den delade /nsr-platsen och den lokala /opt/nsr-platsen på den nya aktiva noden:
root@NWrhelNodeF:~# cd /opt/nre/java/latest/bin
root@NWrhelNodeF:/opt/nre/java/latest/bin#  ./keytool -list -keystore /nsr_share/nsr/authc/conf/authc.keystore -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Dec 19, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeF:/opt/nre/java/latest/bin#
root@NWrhelNodeF:/opt/nre/java/latest/bin#  ./keytool -list -keystore /nsr/authc/conf/authc.keystore  -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Dec 19, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeF:/opt/nre/java/latest/bin#
root@NWrhelNodeF:/opt/nre/java/latest/bin#  ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore  -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Apr 13, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 1C:32:BF:11:70:93:4E:DF:F5:77:42:DA:98:E5:5A:AF:FC:BB:9A:C6:8D:40:54:6E:77:9D:E2:2F:7D:50:C0:CD
root@NWrhelNodeF:/opt/nre/java/latest/bin#
root@NWrhelNodeF:/opt/nre/java/latest/bin#  ./keytool -list -keystore ../lib/security/cacerts -storepass changeit | grep -A1 emcauthctomcat
emcauthctomcat, Jan 31, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 1C:32:BF:11:70:93:4E:DF:F5:77:42:DA:98:E5:5A:AF:FC:BB:9A:C6:8D:40:54:6E:77:9D:E2:2F:7D:50:C0:CD
root@NWrhelNodeF:/opt/nre/java/latest/bin#
Obs! När en nod är aktiv länkas /nsr symboliskt till den delade sökvägen (exempel: /nsr_share/nsr). Det är anledningen till att certifikatet matchas i ovanstående utdata när /nsr_share- och /nsr-utdata jämfördes. Den här sökvägen delas mellan noder. Sökvägarna /opt/nsr och /opt/nre (Java) är dock lokala för varje fysisk nod. Certifikatsignaturerna mellan de delade och de "lokala" certifikaten överensstämmer inte.
  • När den andra noden är aktiv matchar certifikaten mellan "lokala" och "delade" sökvägar
root@NWrhelNodeE:~# pcs resource
  * Resource Group: NW_group:
    * fs        (ocf::heartbeat:Filesystem):     Started NWrhelNodeE.emclab.local
    * ip        (ocf::heartbeat:IPaddr):         Started NWrhelNodeE.emclab.local
    * nws       (ocf::EMC_NetWorker:Server):     Started NWrhelNodeE.emclab.local
root@NWrhelNodeE:~#
root@NWrhelNodeE:~# cd /opt/nre/java/latest/bin
root@NWrhelNodeE:/opt/nre/java/latest/bin#
root@NWrhelNodeE:/opt/nre/java/latest/bin#  ./keytool -list -keystore /nsr_share/nsr/authc/conf/authc.keystore -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Dec 19, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeE:/opt/nre/java/latest/bin#
root@NWrhelNodeE:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr/authc/conf/authc.keystore  -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Dec 19, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeE:/opt/nre/java/latest/bin#
root@NWrhelNodeE:/opt/nre/java/latest/bin# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore  -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Apr 13, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeE:/opt/nre/java/latest/bin#
root@NWrhelNodeE:/opt/nre/java/latest/bin# ./keytool -list -keystore ../lib/security/cacerts -storepass changeit | grep -A1 emcauthctomcat
emcauthctomcat, Apr 13, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
Obs! Ange lösenordet för authc-nyckellagret för -storepass-värdet. Lösenordet för authc-nyckellagret konfigureras under den första konfigurationen när skriptet /opt/nsr/authc-server/scripts/authc_configure.sh körs på varje nod.
  • På den nod där alla certifikat matchar observeras inte fel med certifikatsökvägen:
root@NWrhelNodeE:~# authc_mgmt -u Administrator -p 'authc_password' -e find-all-users
The query returns 1 records.
User Id User Name
1000    administrator

Cause

Innan NetWorker-servrar läggs till i klustret med hjälp av /usr/sbin/networker.cluster konfigureras de som fristående servrar. /opt/nsr/authc-server/scripts/authc_configure.sh körs efter installationen och genererar unika certifikat per nod. Certifikaten som används på den delade platsen matchar den nod som var den aktiva noden där den klustrade NWS-resursen ursprungligen startades. 
 

/nsr-katalogen är symboliskt länkad till /nsr_share/nsr-katalogen som flyttas mellan noder beroende på vilken nod som är den aktuella aktiva noden. /opt/nsr/authc-server/conf/authc.truststore är lokal för varje nod och delas inte när en failover inträffar. Efter en nod-failover matchar signaturer för /nsr/authc/conf/authc.keystore emcauthc-certifikatet med /opt/nsr. certifikat på den första noden men inte den aktuella aktiva noden. 

Resolution

Lösning:

Problemet har åtgärdats i följande NetWorker-versioner:
  • 19.8.0.4
  • 19.9.0.2
Uppgradera till någon av de angivna NetWorker-versionerna (eller senare). NetWorker-paket kan hämtas från: https://www.dell.com/support/home/product-support/product/networker/drivers
 
Obs! När NetWorker har uppgraderats och den klustrade NWS-resursen har startats måste du köra /opt/nsr/authc-server/scripts/authc_configure.sh på den nod där certifikatfelmatch har observerats. Det korrigerar felmatchningen.
  
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr_share/nsr/authc/conf/authc.keystore -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Aug 31, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 2A:10:32:F4:09:13:8E:26:2C:11:63:DE:42:EF:AB:75:EF:29:6D:11:82:75:32:B6:27:71:96:FF:9D:A4:53:48
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr/authc/conf/authc.keystore  -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Aug 31, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 2A:10:32:F4:09:13:8E:26:2C:11:63:DE:42:EF:AB:75:EF:29:6D:11:82:75:32:B6:27:71:96:FF:9D:A4:53:48
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore  -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Oct 20, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 43:80:AC:4A:78:BC:CA:5A:9F:DB:DF:04:30:B3:D1:41:F4:78:31:F8:0E:93:06:5F:F7:D6:A0:5F:E3:86:6B:AA

root@lnx-node1:/opt/nre/java/latest/bin# /opt/nsr/authc-server/scripts/authc_configure.sh
Specify the directory where the Java Standard Edition Runtime Environment (JRE) software is installed [/opt/nre/java/latest]:
The installation process will install an Apache Tomcat instance.
For optimum security, EMC NetWorker Authentication Service will
use a non-root user (nsrtomcat) to start the Apache Tomcat instance.
If your system has special user security requirements, ensure that proper
operational permissions are granted to this non-root user (nsrtomcat).
Please refer to NetWorker Installation Guide.
WARNING: Port 9090 is already in use.
Do you wish to specify a different port number [y]? n
The Apache Tomcat will use "lnx-node1.amer.lan" as the host name.
The Apache Tomcat will use "9090" as the port number.
The NetWorker Authentication Service requires a keystore file to configure encryption and to provide SSL support.
EMC recommends that you specify a keystore password that has a minimum of six characters.
Do you want to use the existing keystore /nsr/authc/conf/authc.keystore [y]?
Specify password for the existing keystore:
The install will use the existing certificate "emcauthctomcat" for Apache Tomcat.
The install will use the existing certificate "emcauthcsaml" for Authentication Service.
The NetWorker Authentication Service defines automatically an administrator user account
named administrator in the NetWorker Authentication Service local database.
This account is specific to the administration of the NetWorker Authentication Service, and
is not related to other administrator accounts on this system.
********************************************************************************************
Password criteria: Minimum required characters - 9 and Maximum allowed characters - 126
Minimum [alphabetic - 2, Uppercase - 1, Lowercase - 1, Numeric - 1, Special character - 1]
********************************************************************************************
Specify an initial password for administrator:
Confirm the password:
Creating the installation log in /opt/nsr/authc-server/logs/install.log.
Performing initialization. Please wait...
The installation completed successfully.

root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr/authc/conf/authc.keystore  -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Aug 31, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 2A:10:32:F4:09:13:8E:26:2C:11:63:DE:42:EF:AB:75:EF:29:6D:11:82:75:32:B6:27:71:96:FF:9D:A4:53:48
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore  -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Oct 20, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 2A:10:32:F4:09:13:8E:26:2C:11:63:DE:42:EF:AB:75:EF:29:6D:11:82:75:32:B6:27:71:96:FF:9D:A4:53:48
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr_share/nsr/authc/conf/authc.keystore -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Aug 31, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 2A:10:32:F4:09:13:8E:26:2C:11:63:DE:42:EF:AB:75:EF:29:6D:11:82:75:32:B6:27:71:96:FF:9D:A4:53:48

root@lnx-node1:~# authc_mgmt -u Administrator -e find-all-users
Enter password:
The query returns 1 records.
User Id User Name
1000    administrator
 

Alternativ lösning:

1. Gör noden där certifikaten stämmer överens med den aktiva noden i pcs. Exempel på hur du tar reda på detta visas i fältet Symptom
2. Logga in på den passiva noden (där certifikaten inte matchar). 
3. Använd kommandot nsrssltrust för att skapa en certifikatfil mot den virtuella klusterresursen: 

nsrsltrust -u https:// cluster-hostname:9090 -certificate_file.cer

Exempel:

root@NWrhelNodeF:~# nsrssltrust -u https://NWrhelClusD.emclab.local:9090 -c emcauthctomcat.cer
Fetching server's CA certificate chain / server certificate (if CA is not available)...

Information of the cert chain received from SSL server:

        idx: 0
        subject: /C=US/ST=TX/L=Round Rock/O=DELL/OU=NetWorker/CN=NWrhelNodeE.emclab.local
        issuer: /C=US/ST=TX/L=Round Rock/O=DELL/OU=NetWorker/CN=NWrhelNodeE.emclab.local
        Validity Not Before: Dec 19 17:03:27 2022 GMT
        Validity Not After: Dec 13 17:03:27 2047 GMT
        finger print sha1: 5d31f1a7bb4f3982f213235372503e3835c048e1
        signing algorithm: 1020

Do you trust this certificate(s) entity based on above information? [yes]/[no]:
yes
Https certificate is saved into certfile [emcauthctomcat.cer].

4. Kontrollera att signaturen för det genererade certifikatet matchar signaturen för det delade certifikatet på den aktiva noden:

cd /opt/nre/java/latest/bin
/opt/nre/java/latest/bin/keytool -printcert -file certificate_file.cer | grep SHA256

Exempel:

root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -printcert -file /root/emcauthctomcat.cer | grep SHA256
         SHA256: 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4

root@NWrhelNodeE:/opt/nre/java/latest/bin# ./keytool -printcert -file /nsr_share/nsr/authc/conf/emcauthctomcat.cer | grep SHA256
         SHA256: 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4

5. På noden med de inmatchade certifikaten tar du bort de lokala emcauthctomcat-certifikaten från filen authc.truststore och cacerts.

cd /opt/nre/java/latest/bin
./keytool -delete -alias emcauthctomcat -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit
./keytool -delete -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'authc-password'

Obs! Om det lyckas returneras inga utdata.

6. Importera certifikatet som genereras med nsrssltrust:

cd /opt/nre/java/latest/bin
./keytool -import -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'authc-password" -file certificate_file.cer
./keytool -import -alias emcauthctomcat -keystore/opt/nre/java/latest/lib/security/cacerts-storepass changeit -file certificate_file.cer

Exempel: 
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -import -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'authc-password' -file /root/emcauthctomcat.cer
Owner: CN=NWrhelNodeE.emclab.local, OU=NetWorker, O=DELL, L=Round Rock, ST=TX, C=US
Issuer: CN=NWrhelNodeE.emclab.local, OU=NetWorker, O=DELL, L=Round Rock, ST=TX, C=US
Serial number: 6b0ed47e
Valid from: Mon Dec 19 12:03:27 EST 2022 until: Fri Dec 13 12:03:27 EST 2047
Certificate fingerprints:
         SHA1: 5D:31:F1:A7:BB:4F:39:82:F2:13:23:53:72:50:3E:38:35:C0:48:E1
         SHA256: 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 3072-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: localhost
  IPAddress: 127.0.0.1
  DNSName: NWrhelNodeE.emclab.local
]

Trust this certificate? [no]:  yes
Certificate was added to keystore
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -import -alias emcauthctomcat -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit -file /root/emcauthctomcat.cer
Certificate already exists in keystore under alias <emcnwuiserv>
Do you still want to add it? [no]:  yes
Certificate was added to keystore
 

Test:

För att validera att certifikaten nu är giltiga växlar du klustret till noden genom att tillämpa ovanstående ändringar på:

1. Kommandona authc_mgmt eller authc_config bör nu fungera på den nod de tidigare misslyckades med:

root@NWrhelNodeF:~# authc_mgmt -u Administrator -p 'NetWorker_Admin_password' -e find-all-users
The query returns 1 records.
User Id User Name
1000    administrator

2. För ytterligare verifiering kan vi se att certifikaten överensstämmer från både lokala och delade platser:

root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr_share/nsr/authc/conf/authc.keystore -storepass 'authc-password' | grep -A1 emcauthctomcat
emcauthctomcat, Dec 19, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeF:/opt/nre/java/latest/bin#
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr/authc/conf/authc.keystore  -storepass 'authc-password' | grep -A1 emcauthctomcat
emcauthctomcat, Dec 19, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeF:/opt/nre/java/latest/bin#
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore  -storepass 'authc-password' | grep -A1 emcauthctomcat
emcauthctomcat, Apr 13, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeF:/opt/nre/java/latest/bin#
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore ../lib/security/cacerts -storepass changeit | grep -A1 emcauthctomcat
emcauthctomcat, Apr 13, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4

 

Additional Information

Om AUTHC/NMC-servern är ett centralt fristående NetWorker-system påverkar inte problemet NetWorker Management Console (NMC), NetWorker-webbanvändargränssnittet (NWUI) eller REST API-begäranden.

Affected Products

NetWorker

Products

NetWorker Family, NetWorker Series
Article Properties
Article Number: 000205383
Article Type: Solution
Last Modified: 24 Mar 2025
Version:  9
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.