6.10 Unable to connect to OPSWAT Product instances that have enabled HTTPS mode
Term |
Detail |
Problem |
OPSWAT Central Management cannot connect to OPSWAT Product instances that have enabled HTTPS mode. |
Cause |
The certificates for the domains that the OPSWAT Product instances belong to have not been added to OPSWAT Central Management's trust store. |
Troubleshooting |
Testing connection returns the error "Peer certificate cannot be authenticated with given CA certificate". |
Solution |
Ensure that the domains are trusted hosts for OPSWAT Central Management. |
When adding a new OPSWAT Product instance that has enabled HTTPS mode, it's possible to encounter an error as shown in the below image.
One possible cause is that the domain that the instance belong to is listed as a trusted host, such as because of missing certificates. To add certificates to OPSWAT Central Management's trust store, please follow the below guidelines
-
Locate the root certificate file (.crt) for the product instance.
-
From an elevated command-line interface, enter the command:
-
For Windows
"%JRE_HOME%\bin\keytool" -importcert -keystore "%JRE_HOME%\lib\security\cacerts" -storepass <password> -alias "<alias> -file "<rootCA.crt path>"
Example:
"%JRE_HOME%\bin\keytool" -importcert -keystore "%JRE_HOME%\lib\security\cacerts" -storepass changeit -alias "ocmCA" -file "C:\Users\admin\Downloads\ocm.crt"
-
For RHEL
"$JRE_HOME/bin/keytool" -importcert -keystore "$JRE_HOME/lib/security/cacerts" -storepass <password> -alias "<alias> -file "<rootCA.crt path>"
Example:
"$JRE_HOME/bin/keytool" -importcert -keystore "$JRE_HOME/lib/security/cacerts" -storepass changeit -alias "ocmCA" -file "/etc/somewhere/ocm.crt"
The host machine should have the JRE_HOME (or JAVA_HOME if OPSWAT Central Management is using JDK) environment variable already set so the command can work properly. Replace the following fields with the correct information.
-
<password>: The keystore's password
-
<alias>: The certificate's alias.
-
<rootCA.crt path>: The path to the product instance's root certificate file.
-
-
-
Restart OPSWAT Central Management for the changes to take effect.
Another cause is that the certificates may be invalid if they have already been added. In this case, please verify that the certificates are valid and add them again if necessary.