cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Visit the PTCooler (the community lounge) to get to know your fellow community members and check out some of Dale's Friday Humor posts! X

Replica server connection issue

pyalavarthi
1-Newbie
1-Newbie
‎Aug 19, 2011 12:52 PM
‎Aug 19, 2011 12:52 PM

Replica server connection issue

I am getting the following error in the replica server when trying to do a
handshake with master server. I imported the valid certificates into java
keystore. Still it is giving error about the certificate. I am wondering if
anyone has see this error and any inputs will be appreciated.


Thu 8/18/11 12:51:43: Thread-1: ERROR : wt.fv.replica - Problem connecting
to host. Message:[javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: timestamp check failed]
Thu 8/18/11 12:51:43: Thread-1: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: timestamp check failed
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
Thu 8/18/11 12:51:43: Thread-1: at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
Thu 8/18/11 12:51:43: Thread-1: at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
Thu 8/18/11 12:51:43: Thread-1: at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:896)
Thu 8/18/11 12:51:43: Thread-1: at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
Thu 8/18/11 12:51:43: Thread-1: at
wt.fv.replica.StandardReplicaService.getConfigCacheFromMaster(StandardReplicaService.java:1071)
Thu 8/18/11 12:51:43: Thread-1: at
wt.fv.replica.StandardReplicaService.access$200(StandardReplicaService.java:137)
Thu 8/18/11 12:51:43: Thread-1: at
wt.fv.replica.StandardReplicaService$FetchThread.run(StandardReplicaService.java:1153)
Thu 8/18/11 12:51:43: Thread-1: at java.lang.Thread.run(Thread.java:619)
Thu 8/18/11 12:51:43: Thread-1: at wt.util.WTThread.run(WTThread.java:370)
Thu 8/18/11 12:51:43: Thread-1: Caused by:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: timestamp check failed
Thu 8/18/11 12:51:43: Thread-1: at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:251)
Thu 8/18/11 12:51:43: Thread-1: at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:234)
Thu 8/18/11 12:51:43: Thread-1: at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:158)
Thu 8/18/11 12:51:43: Thread-1: at
sun.security.validator.Validator.validate(Validator.java:218)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
Thu 8/18/11 12:51:43: Thread-1: ... 16 more
Thu 8/18/11 12:51:43: Thread-1: Caused by:
java.security.cert.CertPathValidatorException: timestamp check failed
Thu 8/18/11 12:51:43: Thread-1: at
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
Thu 8/18/11 12:51:43: Thread-1: at
sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:326)
Thu 8/18/11 12:51:43: Thread-1: at
sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
Thu 8/18/11 12:51:43: Thread-1: at
java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
Thu 8/18/11 12:51:43: Thread-1: at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:246)
Prathap <">http://goo.gl/LuT5>
Labels:
0 Kudos
Notify Moderator
10 REPLIES 10
achukwuka
1-Newbie
1-Newbie
(To:pyalavarthi)
‎Aug 19, 2011 01:15 PM
‎Aug 19, 2011 01:15 PM

Prathap,

Did you import the cert file into both the replica and the master?

Thanks

Alexius C. Chukwuka
IT Analyst, Global SAP Basis - TCM
Deere & Company World Headquarters
400 19th St, Moline, IL 61265
0 Kudos
Notify Moderator
pyalavarthi
1-Newbie
1-Newbie
(To:pyalavarthi)
‎Aug 19, 2011 01:17 PM
‎Aug 19, 2011 01:17 PM

Hi Alex,
Yes I imported the cert file in both replica and master sites.


Prathap <">http://goo.gl/LuT5>



On Fri, Aug 19, 2011 at 10:15 AM, Chukwuka Alexius C <
-> wrote:

> Prathap,****
>
> ** **
>
> Did you import the cert file into both the replica and the master?****
>
> ** **
>
> Thanks****
>
> ** **
>
> *Alexius C. Chukwuka*****
>
> *IT Analyst, Global SAP Basis - TCM*****
>
> Deere & Company World Headquarters****
>
> 400 19th St, Moline, IL 61265****
>
> Office: (309) 765-3133****
>
> Mobile: (319) 429-5336****
>
> ** **
>
> *From:* Prathap [
>
> ** **
>
> ** **
0 Kudos
Notify Moderator
rhoffmann
1-Newbie
1-Newbie
(To:pyalavarthi)
‎Aug 19, 2011 01:22 PM
‎Aug 19, 2011 01:22 PM

Keystore being jssecacerts? Is the replica using SSL too? If so do you have the replca cert in the master keystore?

You're not using SiteMinder or any other client side cert by chance?

Is apache being challenged on the replica? and if so it just may be that the two servers can't talk to each other.
0 Kudos
Notify Moderator
pyalavarthi
1-Newbie
1-Newbie
(To:pyalavarthi)
‎Aug 19, 2011 02:54 PM
‎Aug 19, 2011 02:54 PM

Hi Ryan,
Replica is using SSL. Also I have the replica cert in master
keystore.
Also the anonymous url(Windchill/servlet/WindchillGW) is not autenticated on
replica server.
We use a custom apache SSO module for authentication purpose on all servers.


Thanks,
Prathap <">http://goo.gl/LuT5>



0 Kudos
Notify Moderator
rhoffmann
1-Newbie
1-Newbie
(To:pyalavarthi)
‎Aug 19, 2011 03:00 PM
‎Aug 19, 2011 03:00 PM

I think that is your problem. I had the same issue with SiteMinder. After un-protecting

Windchill/servlet/WindchillGW
And specifying "Basic" authentication the error went away and everything started working.

Can you add Windchill/servlet/WindchillGW

To be authenticated in a test environment?

0 Kudos
Notify Moderator
jessh
5-Regular Member
5-Regular Member
(To:pyalavarthi)
‎Aug 19, 2011 03:11 PM
‎Aug 19, 2011 03:11 PM

WindchillGW access should never require authentication.

0 Kudos
Notify Moderator
achukwuka
1-Newbie
1-Newbie
(To:pyalavarthi)
‎Aug 19, 2011 03:16 PM
‎Aug 19, 2011 03:16 PM

Prathap,

If you are using sitmeinder, there is file called "LocalConfig.conf" located in apache load point <loadpoint>/conf. There is a line in this file for ignoring any url that you DO NOT want to enforce authentication on. The line is similar to below:


ignoreURL=
0 Kudos
Notify Moderator
rhoffmann
1-Newbie
1-Newbie
(To:pyalavarthi)
‎Aug 19, 2011 03:39 PM
‎Aug 19, 2011 03:39 PM

I agree. Our SiteMinder config was redirecting all URL requests to be authenticated and therefore while the replica was communicating with the master it was be challenged for authentication. By telling it to ignore the URL Windchill/servlet/WindchillGW it resolved our issue.

0 Kudos
Notify Moderator
pyalavarthi
1-Newbie
1-Newbie
(To:pyalavarthi)
‎Aug 19, 2011 04:51 PM
‎Aug 19, 2011 04:51 PM

Thanks for all of your inputs.

I set the following config in Apache/conf/extra/app-Windchill.conf file to
ignore the authentication

<location windchill=" servlet=" windchillgw=">
Allow from all
Satisfy all
</location>

I removed the following property from wt.properties which is redirecting to
homepage and thereby prompting for authentication.
#wt.homepage.jsp=$(wt.server.codebase)/wtcore/jsp/wt/portal/index.jsp

I can access the anonymous url without authentication.
Still, I am getting the same error related to certificate handshake.

Thanks,
Prathap <">http://goo.gl/LuT5>



0 Kudos
Notify Moderator
Top Tags