DX NetOps

Hello all,

I'm trying to enable SSL on my Spectrum OneClick server and keep running into an issue.  I have followed the instructions in the "Configure the Secure Socket on the OneClick Server" documentation but am unable to launch the OneClick web page.  The error I get is:

Hi Michael,

That message in a browser (This site is not secure) most likely means that your certificate is not valid or incorrectly configured.

Have you followed the following docops guide;

Configure OneClick for Secure Sockets Layer - CA Spectrum - 10.1 to 10.1.2 - CA Technologies Documentation 

And what version of Spectrum are you using?

Also, are you using a self signed cert or a CA cert?

Yes, I'm using a self signed certificate.

yes, I used the docops for v10.2 and I am running Spectrum 10.2.0.

Were you able to figure this out?

Make sure your /custom/keystore and start over.

If it still doesn’t work after all that, I would suggest opening a support case.

Cheers

Jay

I don't know what the email integration is doing, but it looks like it's not working.  Since it didn't post properly in the webpage, here is what I actually replied with with the only thing I'd like to add is what Brad noted -- you are still going to get a "Not Secure" message, however you should still be able to access/open OneClick.

Here was what I wanted to post:

Were you able to figure this out? 

Make sure your <SPECROOT>/tomcat/conf/server.xml has the same redirect port and SSL port.

Ie from my Windows machine:

<!-- Define a non-SSL HTTP/1.1 Connector on port 8080 -->

    <Connector port="8080" URIEncoding="UTF-8" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="true" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" tcpNoDelay="true" />

    <!-- Define a SSL Coyote HTTP/1.1 Connector on port 443 -->

    <Connector

           port="8443"

           enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true"

           acceptCount="100" scheme="https" secure="true" SSLEnabled="true"

           clientAuth="false" sslProtocol="TLS"

           ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

           keystoreFile="C:/win32app/spectrum/custom/keystore/cacerts"

           keystorePass="changeit">

     </Connector>

Make sure your <SPECROOT>/custom/keystore/cacerts file has the self signed cert listed with the alias of tomcatssl

From a shell navigate to the <SPECROOT>/java/bin:

./keytool -list -v -alias tomcatssl -keystore ../../custom/keystore/cacerts

you should get output like this showing tomcatssl alias with a PrivateKeyEntry and the Owner and Issuer info should be the same:

Alias name: tomcatssl

Creation date: Sep 26, 2017

Entry type: PrivateKeyEntry

Certificate chain length: 1

Certificate[1]:

Owner: CN=Jason, OU=Support, O=CA, L=Portsmouth, ST=NH, C=US

Issuer: CN=Jason, OU=Support, O=CA, L=Portsmouth, ST=NH, C=US

Serial number: 4a4f0e20

Valid from: Tue Sep 26 09:11:52 EDT 2017 until: Mon Dec 25 08:11:52 EST 2017

If there are any problems, delete your <SPECROOT>/custom/keystore/cacerts file and copy (don’t replace) the <SPECROOT>/Java/jre/lib/security/cacerts file back into the <SPECROOT>/custom/keystore and start over.

If it still doesn’t work after all that, I would suggest opening a support case. 

Cheers

Jay

I recreated the certificate using the same information and everything worked after that.  Not sure what happened but am now able to launch the OneClick web page in SSL mode and then launch Spectrum.

Thanks all for the input.  It was very helpful.

Michael

Awesome, glad to hear it!

Hi Michael,

This type of message is normally seen when using a self-signed certificate. There are many reasons why this message could be seen. Some of the reasons are legitimate concerns, and some are the Browser's way of informing you that you are not using a "trusted" Certificate Authority signed certificate. I recommend checking the support page for the browser you are using to see what recommendations the browser manufacture provides about the message.

For Example, if you are using Firefox and see the message "Your connection is not secure" could be due to one of the following reasons:

• The certificate will not be valid until (date)
• The certificate expired on (date)
• The certificate is not trusted because the issuer certificate is unknown
• The certificate is not trusted because it is self-signd
• The certificate is only valid for (site name)
• Corrupted certificate store

For more information related to Firefox, see  https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean

Thank you,

Brad