Importing the remote server SSL certificate for use with the "Access URL", and similar actions (Linux and Windows).

Document created by nelje05 Employee on Mar 26, 2015
Version 1Show Document
  • View in full screen mode

Importing the remote server SSL certificate(https) for use with the "Access URL", and similar actions.

 

 

When you attempt to access a URL that is 'https' using the 'Access URL' action, the agent will fail/halt with an error along the lines of:

 

"Handshake Failed / PKIX: Unable to build Certificate path..etc etc"

 

The above is an extremely short summary, but should suffice.  Directions are here, for each operating system - very simple procedure:

 

 

Windows Server, or any other variant for that matter:

 

Section 1(Grab certificate from site(HTTPS only):

 

 

1. Open the site with the SSL certificate you want.

2. After you proceed to the site anyway, open the options for the SSL certificate(for displaying, exporting, etc) and click the link at the bottom for 'View Certificates'. FYI: This was found just to the right on my address bar.

3. A new menu will pop up, click the 'Details' tab, and then 'Copy to File' (bottom right most versions)

4. Now, ensure DER encoded binary X.509 is selected, then hit Next.

5. Put in a path to the desired filename(or browse to the location you want and save) - remember this location of course.

 

Section 2(Install certificate to local jre store for Agent(s):

 

1. Open a command prompt(WINDOWSKEY + R, enter 'cmd' no quotes)

2. Switch directories to the jre lib secuirty folder of the Agent, for example to switch assuming you are installed default path: cd "\path\to\NolioAgent\jre\lib\security" ( *** NOTE: You run 'dir' here, you should see a cacerts file in this directory ).

3. Now, import the .cer certificate we exported in the previous section, simply run the following:

 

         keytool -importcert -file cert.cer -alias sscert1 -keystore cacerts

 

4. It will verify you want to import this as trusted, and may ask for a password(unless previously modified) - if so, enter 'changeit'

5. Restart the deployer/agent, re-attempt running the action changing nothing on the actions properties. This should be successful.

 

 

 

Linux, any variant for the most part:

 

Section 1(Grab certificate from site(HTTPS only):

 

1. Open the agent, or at least one of them, that will be doing the retrieval via https(SSL/TLS).   switch to the working base installation directory of the agent(eg: /usr/bin/NolioAgent)

2. Retrieve the SSL certificate from the destination URL using OpenSSL:

 

openssl s_client -connect website.com:443 -showcerts

 

This will dump the certificate information, you should see an openssl cert fly by, just copy/paste the certificate, here is some proper example output:

 

-----BEGIN CERTIFICATE-----

MIID+jCCAuKgAwIBAgIDAjbSMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT

MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i

YWwgQ0EwHhcNMTAwMjI2MjEzMjMxWhcNMjAwMjI1MjEzMjMxWjBhMQswCQYDVQQG

EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UECxMURG9tYWluIFZh

bGlkYXRlZCBTU0wxGzAZBgNVBAMTEkdlb1RydXN0IERWIFNTTCBDQTCCASIwDQYJ

KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKa7jnrNpJxiV9RRMEJ7ixqy0ogGrTs8

KRMMMbxp+Z9alNoGuqwkBJ7O1KrESGAA+DSuoZOv3gR+zfhcIlINVlPrqZTP+3RE

60OUpJd6QFc1tqRi2tVI+Hrx7JC1Xzn+Y3JwyBKF0KUuhhNAbOtsTdJU/V8+Jh9m

cajAuIWe9fV1j9qRTonjynh0MF8VCpmnyoM6djVI0NyLGiJOhaRO+kltK3C+jgwh

w2LMpNGtFmuae8tk/426QsMmqhV4aJzs9mvIDFcN5TgH02pXA50gDkvEe4GwKhz1

SupKmEn+Als9AxSQKH6a9HjQMYRX5Uw4ekIR4vUoUQNLIBW7Ihq28BUCAwEAAaOB

2TCB1jAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIz02ZMKR7wAoErOS3VuoLaw

sn78MB8GA1UdIwQYMBaAFMB6mGiNifurBWQMEX2qfWW4ysxOMBIGA1UdEwEB/wQI

MAYBAf8CAQAwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5j

b20vY3Jscy9ndGdsb2JhbC5jcmwwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB

hhhodHRwOi8vb2NzcC5nZW90cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADOR

NxHbQPnejLICiHevYyHBrbAN+qB4VqOC/btJXxRtyNxflNoRZnwekcW22G1PqvK/

ISh+UqKSeAhhaSH+LeyCGIT0043FiruKzF3mo7bMbq1vsw5h7onOEzRPSVX1ObuZ

lvD16lo8nBa9AlPwKg5BbuvvnvdwNs2AKnbIh+PrI7OWLOYdlF8cpOLNJDErBjgy

YWE5XIlMSB1CyWee0r9Y9/k3MbBn3Y0mNhp4GgkZPJMHcCrhfCn13mZXCxJeFu1e

vTezMGnGkqX2Gdgd+DYSuUuVlZzQzmwwpxb79k1ktl8qFJymyFWOIPllByTMOAVM

IIi0tWeUz12OYjf+xLQ=

-----END CERTIFICATE-----

 

 

3. Then take this, and paste it into a file, we can call it, blah.crt in our case.

4. Next, we need to import this certificate into the jre cacerts trust store store.

 

a. Run the following:

 

1. keytool -importcert -file blah.crt -alias trustedCertEntry -keystore jre/lib/security/cacerts

 

When prompted for a password here, enter 'changeit' - certificate stored in blah.crt from earlier should not be stored in the jre truststore for the agent.

 

Note: if you have more than 1 deployer that needs to do this as well, simply copy the 'cacerts' file from the last command to the other agent(s), no restart required.

 

 

Attempt to access the URL again using the same action, it should now succeed.

Attachments

    Outcomes