6.10 Unable to connect to OPSWAT Product instances that have enabled HTTPS mode

Term

Detail

Problem

OPSWAT Central Management cannot connect to OPSWAT Product instances that have enabled HTTPS mode.

Cause

The certificates for the domains that the OPSWAT Product instances belong to have not been added to OPSWAT Central Management's trust store.

Troubleshooting

Testing connection returns the error "Peer certificate cannot be authenticated with given CA certificate".

Solution

Ensure that the domains are trusted hosts for OPSWAT Central Management.

When adding a new OPSWAT Product instance that has enabled HTTPS mode, it's possible to encounter an error as shown in the below image.

images/download/attachments/2580769/image2020-3-9_14-47-48.png

One possible cause is that the domain that the instance belong to is listed as a trusted host, such as because of missing certificates. To add certificates to OPSWAT Central Management's trust store, please follow the below guidelines

  1. Locate the root certificate file (.crt) for the product instance.

  2. From an elevated command-line interface, enter the command:

    1. For Windows

      "%JRE_HOME%\bin\keytool" -importcert -keystore "%JRE_HOME%\lib\security\cacerts" -storepass <password> -alias "<alias> -file "<rootCA.crt path>"

      Example:

      "%JRE_HOME%\bin\keytool" -importcert -keystore "%JRE_HOME%\lib\security\cacerts" -storepass changeit -alias "ocmCA" -file "C:\Users\admin\Downloads\ocm.crt"

    2. For RHEL

      "$JRE_HOME/bin/keytool" -importcert -keystore "$JRE_HOME/lib/security/cacerts" -storepass <password> -alias "<alias> -file "<rootCA.crt path>"

      Example:

      "$JRE_HOME/bin/keytool" -importcert -keystore "$JRE_HOME/lib/security/cacerts" -storepass changeit -alias "ocmCA" -file "/etc/somewhere/ocm.crt"

      The host machine should have the JRE_HOME (or JAVA_HOME if OPSWAT Central Management is using JDK) environment variable already set so the command can work properly. Replace the following fields with the correct information.

      1. <password>: The keystore's password

      2. <alias>: The certificate's alias.

      3. <rootCA.crt path>: The path to the product instance's root certificate file.

  3. Restart OPSWAT Central Management for the changes to take effect.

Another cause is that the certificates may be invalid if they have already been added. In this case, please verify that the certificates are valid and add them again if necessary.