NetWorker:群集 RHEL 服务器上的 authc 命令报告“无法找到请求目标的有效认证路径”。
Summary: NetWorker 已使用高可用性安装在 RHEL/CentOS Linux 群集上。运行 authc config 命令(authc_config、authc_mgmt)时,命令返回“Unable to find valid certification path to requested target”。
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
- 在使用高可用性群集的 RHEL/CentOS 7.x 或 8.x Linux 服务器上配置 NetWorker 服务器部署。
- authc_config 和 authc_mgmt 命令返回证书路径错误:
root@NWrhelNodeF:~# pcs resource
* Resource Group: NW_group:
* fs (ocf::heartbeat:Filesystem): Started NWrhelNodeF.emclab.local
* ip (ocf::heartbeat:IPaddr): Started NWrhelNodeF.emclab.local
* nws (ocf::EMC_NetWorker:Server): Started NWrhelNodeF.emclab.local
root@NWrhelNodeF:~# authc_mgmt -u Administrator -p 'authc_password' -e find-all-users
ERROR [main] (DefaultLogger.java:222) - Error while performing Operation:
org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://localhost:9090/auth-server/api/v1/sec/authenticate": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
- 发生节点故障切换后,共享 /nsr 位置中的证书与新活动节点上的本地 /opt/nsr 位置之间存在不匹配:
root@NWrhelNodeF:~# cd /opt/nre/java/latest/bin
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr_share/nsr/authc/conf/authc.keystore -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Dec 19, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeF:/opt/nre/java/latest/bin#
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr/authc/conf/authc.keystore -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Dec 19, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeF:/opt/nre/java/latest/bin#
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Apr 13, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 1C:32:BF:11:70:93:4E:DF:F5:77:42:DA:98:E5:5A:AF:FC:BB:9A:C6:8D:40:54:6E:77:9D:E2:2F:7D:50:C0:CD
root@NWrhelNodeF:/opt/nre/java/latest/bin#
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore ../lib/security/cacerts -storepass changeit | grep -A1 emcauthctomcat
emcauthctomcat, Jan 31, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 1C:32:BF:11:70:93:4E:DF:F5:77:42:DA:98:E5:5A:AF:FC:BB:9A:C6:8D:40:54:6E:77:9D:E2:2F:7D:50:C0:CD
root@NWrhelNodeF:/opt/nre/java/latest/bin#
提醒:当节点处于活动状态时 /nsr 以符号方式链接到共享路径(例如:/nsr_share/nsr)。这就是为什么在上述输出中比较 /nsr_share 和 /nsr 输出时证书匹配的原因。此路径在节点之间共享;但是,/opt/nsr 和 /opt/nre (Java) 路径是每个物理节点的本地路径。“共享”和“本地”证书之间的证书签名不匹配。
- 当另一个节点处于活动状态时,“本地”和“共享”路径之间的证书匹配
root@NWrhelNodeE:~# pcs resource
* Resource Group: NW_group:
* fs (ocf::heartbeat:Filesystem): Started NWrhelNodeE.emclab.local
* ip (ocf::heartbeat:IPaddr): Started NWrhelNodeE.emclab.local
* nws (ocf::EMC_NetWorker:Server): Started NWrhelNodeE.emclab.local
root@NWrhelNodeE:~#
root@NWrhelNodeE:~# cd /opt/nre/java/latest/bin
root@NWrhelNodeE:/opt/nre/java/latest/bin#
root@NWrhelNodeE:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr_share/nsr/authc/conf/authc.keystore -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Dec 19, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeE:/opt/nre/java/latest/bin#
root@NWrhelNodeE:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr/authc/conf/authc.keystore -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Dec 19, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeE:/opt/nre/java/latest/bin#
root@NWrhelNodeE:/opt/nre/java/latest/bin# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'authc_password' | grep -A1 emcauthctomcat
emcauthctomcat, Apr 13, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeE:/opt/nre/java/latest/bin#
root@NWrhelNodeE:/opt/nre/java/latest/bin# ./keytool -list -keystore ../lib/security/cacerts -storepass changeit | grep -A1 emcauthctomcat
emcauthctomcat, Apr 13, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
提醒:指定 -storepass 值的 authc 密钥库密码。在每个节点上运行 /opt/nsr/authc-server/scripts/authc_configure.sh 脚本时,在初始设置期间配置 authc 密钥库密码。
- 在所有证书匹配的节点上,未观察到证书路径错误:
root@NWrhelNodeE:~# authc_mgmt -u Administrator -p 'authc_password' -e find-all-users The query returns 1 records. User Id User Name 1000 administrator
Cause
在使用 /usr/sbin/networker.cluster 将 NetWorker 服务器添加到群集之前,它们配置为独立服务器。/opt/nsr/authc-server/scripts/authc_configure.sh 在安装后运行,为每个节点生成唯一证书。共享位置中使用的证书与活动节点(群集 nws 资源最初在其中启动的节点)匹配。
/nsr 目录以符号方式链接到 /nsr_share/nsr 目录,该目录在节点之间移动,具体取决于当前活动节点所在的节点。/opt/nsr/authc-server/conf/authc.truststore 是每个节点的本地,并且在发生故障切换时不共享。节点故障切换后,/nsr/authc/conf/authc.keystore emcauthc 证书签名与 /opt/nsr 匹配。初始节点上的证书,但不是当前活动节点上的证书。
Resolution
解决方案:
此问题已在以下 NetWorker 版本中得到修复:- 19.8.0.4
- 19.9.0.2
升级到其中一个列出的 NetWorker 版本(或更高版本)。NetWorker 软件包可从以下网站下载:https://www.dell.com/support/home/product-support/product/networker/drivers
提醒:升级 NetWorker 并启动群集 Nws 资源后,您必须在观察到证书不匹配的节点上重新运行 /opt/nsr/authc-server/scripts/authc_configure.sh 。这将纠正不匹配。
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr_share/nsr/authc/conf/authc.keystore -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Aug 31, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 2A:10:32:F4:09:13:8E:26:2C:11:63:DE:42:EF:AB:75:EF:29:6D:11:82:75:32:B6:27:71:96:FF:9D:A4:53:48
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr/authc/conf/authc.keystore -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Aug 31, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 2A:10:32:F4:09:13:8E:26:2C:11:63:DE:42:EF:AB:75:EF:29:6D:11:82:75:32:B6:27:71:96:FF:9D:A4:53:48
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Oct 20, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 43:80:AC:4A:78:BC:CA:5A:9F:DB:DF:04:30:B3:D1:41:F4:78:31:F8:0E:93:06:5F:F7:D6:A0:5F:E3:86:6B:AA
root@lnx-node1:/opt/nre/java/latest/bin# /opt/nsr/authc-server/scripts/authc_configure.sh
Specify the directory where the Java Standard Edition Runtime Environment (JRE) software is installed [/opt/nre/java/latest]:
The installation process will install an Apache Tomcat instance.
For optimum security, EMC NetWorker Authentication Service will
use a non-root user (nsrtomcat) to start the Apache Tomcat instance.
If your system has special user security requirements, ensure that proper
operational permissions are granted to this non-root user (nsrtomcat).
Please refer to NetWorker Installation Guide.
WARNING: Port 9090 is already in use.
Do you wish to specify a different port number [y]? n
The Apache Tomcat will use "lnx-node1.amer.lan" as the host name.
The Apache Tomcat will use "9090" as the port number.
The NetWorker Authentication Service requires a keystore file to configure encryption and to provide SSL support.
EMC recommends that you specify a keystore password that has a minimum of six characters.
Do you want to use the existing keystore /nsr/authc/conf/authc.keystore [y]?
Specify password for the existing keystore:
The install will use the existing certificate "emcauthctomcat" for Apache Tomcat.
The install will use the existing certificate "emcauthcsaml" for Authentication Service.
The NetWorker Authentication Service defines automatically an administrator user account
named administrator in the NetWorker Authentication Service local database.
This account is specific to the administration of the NetWorker Authentication Service, and
is not related to other administrator accounts on this system.
********************************************************************************************
Password criteria: Minimum required characters - 9 and Maximum allowed characters - 126
Minimum [alphabetic - 2, Uppercase - 1, Lowercase - 1, Numeric - 1, Special character - 1]
********************************************************************************************
Specify an initial password for administrator:
Confirm the password:
Creating the installation log in /opt/nsr/authc-server/logs/install.log.
Performing initialization. Please wait...
The installation completed successfully.
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr/authc/conf/authc.keystore -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Aug 31, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 2A:10:32:F4:09:13:8E:26:2C:11:63:DE:42:EF:AB:75:EF:29:6D:11:82:75:32:B6:27:71:96:FF:9D:A4:53:48
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Oct 20, 2023, trustedCertEntry,
Certificate fingerprint (SHA-256): 2A:10:32:F4:09:13:8E:26:2C:11:63:DE:42:EF:AB:75:EF:29:6D:11:82:75:32:B6:27:71:96:FF:9D:A4:53:48
root@lnx-node1:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr_share/nsr/authc/conf/authc.keystore -storepass 'AUTHC_PASSWORD' | grep -A1 emcauthctomcat
emcauthctomcat, Aug 31, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 2A:10:32:F4:09:13:8E:26:2C:11:63:DE:42:EF:AB:75:EF:29:6D:11:82:75:32:B6:27:71:96:FF:9D:A4:53:48
root@lnx-node1:~# authc_mgmt -u Administrator -e find-all-users
Enter password:
The query returns 1 records.
User Id User Name
1000 administrator
解决办法:
1.使证书与 PC 中的活动节点匹配的节点。如何确定这种情况的示例显示在 症状 字段中。
2.登录到被动节点(其中证书不匹配)。
3.使用 nsrssltrust 命令针对虚拟群集资源创建证书文件:
nsrssltrust -u https:// cluster-hostname:9090 -c certificate_file.cer
例子:
root@NWrhelNodeF:~# nsrssltrust -u https://NWrhelClusD.emclab.local:9090 -c emcauthctomcat.cer
Fetching server's CA certificate chain / server certificate (if CA is not available)...
Information of the cert chain received from SSL server:
idx: 0
subject: /C=US/ST=TX/L=Round Rock/O=DELL/OU=NetWorker/CN=NWrhelNodeE.emclab.local
issuer: /C=US/ST=TX/L=Round Rock/O=DELL/OU=NetWorker/CN=NWrhelNodeE.emclab.local
Validity Not Before: Dec 19 17:03:27 2022 GMT
Validity Not After: Dec 13 17:03:27 2047 GMT
finger print sha1: 5d31f1a7bb4f3982f213235372503e3835c048e1
signing algorithm: 1020
Do you trust this certificate(s) entity based on above information? [yes]/[no]:
yes
Https certificate is saved into certfile [emcauthctomcat.cer].
4.确认生成的证书的签名与活动节点上共享证书的签名匹配:
cd /opt/nre/java/latest/bin
/opt/nre/java/latest/bin/keytool -printcert -file certificate_file.cer | grep SHA256
示例:
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -printcert -file /root/emcauthctomcat.cer | grep SHA256
SHA256: 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
root@NWrhelNodeE:/opt/nre/java/latest/bin# ./keytool -printcert -file /nsr_share/nsr/authc/conf/emcauthctomcat.cer | grep SHA256
SHA256: 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
5.在具有不匹配证书的节点上,从 authc.truststore 和 cacerts 文件中删除本地 emcauthctomcat 证书。
cd /opt/nre/java/latest/bin
./keytool -delete -alias emcauthctomcat -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit
./keytool -delete -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'authc-password'
提醒:如果成功,则不会返回输出。
6.导入使用 nsrssltrust 生成的证书:
cd /opt/nre/java/latest/bin
./keytool -import -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'authc -password' -file certificate_file.cer
./keytool -import -alias emcauthctomcat -keystore/opt/nre/java/latest/lib/security/cacerts-storepass changeit -file certificate_file.cer
示例:
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -import -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'authc-password' -file /root/emcauthctomcat.cer
Owner: CN=NWrhelNodeE.emclab.local, OU=NetWorker, O=DELL, L=Round Rock, ST=TX, C=US
Issuer: CN=NWrhelNodeE.emclab.local, OU=NetWorker, O=DELL, L=Round Rock, ST=TX, C=US
Serial number: 6b0ed47e
Valid from: Mon Dec 19 12:03:27 EST 2022 until: Fri Dec 13 12:03:27 EST 2047
Certificate fingerprints:
SHA1: 5D:31:F1:A7:BB:4F:39:82:F2:13:23:53:72:50:3E:38:35:C0:48:E1
SHA256: 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 3072-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: localhost
IPAddress: 127.0.0.1
DNSName: NWrhelNodeE.emclab.local
]
Trust this certificate? [no]: yes
Certificate was added to keystore
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -import -alias emcauthctomcat -keystore /opt/nre/java/latest/lib/security/cacerts -storepass changeit -file /root/emcauthctomcat.cer
Certificate already exists in keystore under alias <emcnwuiserv>
Do you still want to add it? [no]: yes
Certificate was added to keystore
测试:
要验证证书现在是否有效,请将群集故障切换到上述更改应用于:
1 的节点。authc_mgmt或authc_config命令现在应在之前出现故障的节点上运行:
root@NWrhelNodeF:~# authc_mgmt -u Administrator -p 'NetWorker_Admin_password' -e find-all-users
The query returns 1 records.
User Id User Name
1000 administrator
2.对于其他验证,我们可以看到证书与本地和共享位置相匹配:
root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr_share/nsr/authc/conf/authc.keystore -storepass 'authc-password' | grep -A1 emcauthctomcat emcauthctomcat, Dec 19, 2022, PrivateKeyEntry, Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4 root@NWrhelNodeF:/opt/nre/java/latest/bin# root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore /nsr/authc/conf/authc.keystore -storepass 'authc-password' | grep -A1 emcauthctomcat emcauthctomcat, Dec 19, 2022, PrivateKeyEntry, Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4 root@NWrhelNodeF:/opt/nre/java/latest/bin# root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass 'authc-password' | grep -A1 emcauthctomcat emcauthctomcat, Apr 13, 2023, trustedCertEntry, Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4 root@NWrhelNodeF:/opt/nre/java/latest/bin# root@NWrhelNodeF:/opt/nre/java/latest/bin# ./keytool -list -keystore ../lib/security/cacerts -storepass changeit | grep -A1 emcauthctomcat emcauthctomcat, Apr 13, 2023, trustedCertEntry, Certificate fingerprint (SHA-256): 4C:A0:07:70:D2:04:4D:A2:F0:87:5A:75:4A:3A:9F:C3:B6:3A:C0:3B:05:F8:9C:F6:81:01:D5:8C:C7:CE:E6:B4
Additional Information
如果 AUTHC/NMC 服务器是中央独立 NetWorker 系统,则此问题不会影响 NetWorker 管理控制台 (NMC)、NetWorker Web 用户界面 (NWUI) 或 REST API 请求。
Affected Products
NetWorkerProducts
NetWorker Family, NetWorker SeriesArticle Properties
Article Number: 000205383
Article Type: Solution
Last Modified: 24 Mar 2025
Version: 9
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.