1-Visitor

Question

Replica server connection issue

Forum|Forum|14 years ago
August 19, 2011
10 replies
1738 views

I am getting the following error in the replica server when trying to do a
handshake with master server. I imported the valid certificates into java
keystore. Still it is giving error about the certificate. I am wondering if
anyone has see this error and any inputs will be appreciated.

Thu 8/18/11 12:51:43: Thread-1: ERROR : wt.fv.replica - Problem connecting
to host. Message:[javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: timestamp check failed]
Thu 8/18/11 12:51:43: Thread-1: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: timestamp check failed
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
Thu 8/18/11 12:51:43: Thread-1: at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
Thu 8/18/11 12:51:43: Thread-1: at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
Thu 8/18/11 12:51:43: Thread-1: at
sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:896)
Thu 8/18/11 12:51:43: Thread-1: at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
Thu 8/18/11 12:51:43: Thread-1: at
wt.fv.replica.StandardReplicaService.getConfigCacheFromMaster(StandardReplicaService.java:1071)
Thu 8/18/11 12:51:43: Thread-1: at
wt.fv.replica.StandardReplicaService.access$200(StandardReplicaService.java:137)
Thu 8/18/11 12:51:43: Thread-1: at
wt.fv.replica.StandardReplicaService$FetchThread.run(StandardReplicaService.java:1153)
Thu 8/18/11 12:51:43: Thread-1: at java.lang.Thread.run(Thread.java:619)
Thu 8/18/11 12:51:43: Thread-1: at wt.util.WTThread.run(WTThread.java:370)
Thu 8/18/11 12:51:43: Thread-1: Caused by:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: timestamp check failed
Thu 8/18/11 12:51:43: Thread-1: at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:251)
Thu 8/18/11 12:51:43: Thread-1: at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:234)
Thu 8/18/11 12:51:43: Thread-1: at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:158)
Thu 8/18/11 12:51:43: Thread-1: at
sun.security.validator.Validator.validate(Validator.java:218)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
Thu 8/18/11 12:51:43: Thread-1: at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
Thu 8/18/11 12:51:43: Thread-1: ... 16 more
Thu 8/18/11 12:51:43: Thread-1: Caused by:
java.security.cert.CertPathValidatorException: timestamp check failed
Thu 8/18/11 12:51:43: Thread-1: at
sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
Thu 8/18/11 12:51:43: Thread-1: at
sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:326)
Thu 8/18/11 12:51:43: Thread-1: at
sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
Thu 8/18/11 12:51:43: Thread-1: at
java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
Thu 8/18/11 12:51:43: Thread-1: at
sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:246)
Prathap <">http://goo.gl/LuT5>

Other

A

achukwuka

1-Visitor

Prathap,

Did you import the cert file into both the replica and the master?

Thanks

Alexius C. Chukwuka
IT Analyst, Global SAP Basis - TCM
Deere & Company World Headquarters
400 19th St, Moline, IL 61265

P

pyalavarthi

Author

1-Visitor

Hi Alex,
Yes I imported the cert file in both replica and master sites.

Prathap <">http://goo.gl/LuT5>

On Fri, Aug 19, 2011 at 10:15 AM, Chukwuka Alexius C <
-> wrote:

> Prathap,****
>
> ** **
>
> Did you import the cert file into both the replica and the master?****
>
> ** **
>
> Thanks****
>
> ** **
>
> *Alexius C. Chukwuka*****
>
> *IT Analyst, Global SAP Basis - TCM*****
>
> Deere & Company World Headquarters****
>
> 400 19th St, Moline, IL 61265****
>
> Office: (309) 765-3133****
>
> Mobile: (319) 429-5336****
>
> ** **
>
> *From:* Prathap [
>
> ** **
>
> ** **

R

rhoffmann

1-Visitor

Keystore being jssecacerts? Is the replica using SSL too? If so do you have the replca cert in the master keystore?

You're not using SiteMinder or any other client side cert by chance?

Is apache being challenged on the replica? and if so it just may be that the two servers can't talk to each other.

P

pyalavarthi

Author

1-Visitor

Hi Ryan,
Replica is using SSL. Also I have the replica cert in master
keystore.
Also the anonymous url(Windchill/servlet/WindchillGW) is not autenticated on
replica server.
We use a custom apache SSO module for authentication purpose on all servers.

Thanks,
Prathap <">http://goo.gl/LuT5>

R

rhoffmann

1-Visitor

I think that is your problem. I had the same issue with SiteMinder. After un-protecting

Windchill/servlet/WindchillGW
And specifying "Basic" authentication the error went away and everything started working.

Can you add Windchill/servlet/WindchillGW

To be authenticated in a test environment?

J

jessh

12-Amethyst

WindchillGW access should never require authentication.

A

achukwuka

1-Visitor

Prathap,

If you are using sitmeinder, there is file called "LocalConfig.conf" located in apache load point <loadpoint>/conf. There is a line in this file for ignoring any url that you DO NOT want to enforce authentication on. The line is similar to below:

ignoreURL=

R

rhoffmann

1-Visitor

I agree. Our SiteMinder config was redirecting all URL requests to be authenticated and therefore while the replica was communicating with the master it was be challenged for authentication. By telling it to ignore the URL Windchill/servlet/WindchillGW it resolved our issue.

P

pyalavarthi

Author

1-Visitor

Thanks for all of your inputs.

I set the following config in Apache/conf/extra/app-Windchill.conf file to
ignore the authentication

<location windchill=" servlet=" windchillgw=">
Allow from all
Satisfy all
</location>

I removed the following property from wt.properties which is redirecting to
homepage and thereby prompting for authentication.
#wt.homepage.jsp=$(wt.server.codebase)/wtcore/jsp/wt/portal/index.jsp

I can access the anonymous url without authentication.
Still, I am getting the same error related to certificate handshake.

Thanks,
Prathap <">http://goo.gl/LuT5>

R

rhoffmann

1-Visitor

Prathap, at this point I would recommend downloading the free version of HTTP watch:
.
and see if it gets stopped in its tracks.

It might list a URL with a 500 error or something else that will give you a clue. What I would expect to see is the replica is getting the door slammed on a particular URL.

I have also used Fiddler and WireShark to troubleshoot these kind of issues but they are a little more complicated in getting them to work with SSL.

For me (and I am by no means an expert) the SSL Handshake is either:

The master and replica do not trust each other via certs.
Something is blocking the handshake.

Sign up

Please use your PTC eSupport account.

Welcome to the PTC Community

Please use your PTC eSupport account.

Scanning file for viruses.

This file cannot be downloaded