Article Number
000003107
Applies To
RSA Product Set: NetWitness Platform
RSA Product/Service Type: RSA NetWitness Platform
RSA Version/Condition: 12.0 and later
Platform: CCM
O/S Version: 6/7
Issue
Invalid certificate issue occurs in CCM when the customer uses proxy and custom certificate. The following error is received in CCM:org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://cms.netwitness.com:443/authlive/authenticate/CMS": Certificate not verified.; nested exception is javax.net.ssl.SSLException: Certificate not verified.
Cause
Case1:
There are few customers who use custom certificate. Since this certificate is unknown to NetWitness, CCM fails to connect to Live. Hence, customers cannot use CCM
Case2:
There are few customers who use the firewall. In such a case, the issue occurs when the correct URL is not whitelisted.
Resolution
Case1: Resolution1:
- Use the following opensll command to see the certificate:
openssl s_client -showcerts -connect example.com:443For example:openssl s_client -showcerts -connect cms.netwitness.com:443
- Ask customer for custom certificate (.pem format).
- Import the custom certificate using the below command:
keytool -importcert -trustcacerts -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit -noprompt -alias <custom-ca-name> -file <path-to-the-cert.pem>For example: keytool -importcert -trustcacerts -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit -noprompt -alias entrustG2 -file /root/rachit/entrustG2.pem
Case1: Resolution2:
Ask customer to by pass the url *.netwitness.com in the proxy config.
Case2: Resolution:
If customers are using firewall, then they should whitelist the URL live.netwitness.com. The cms.netwitness.com redirects to live.netwitness.com.
