This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Knowledge Base Archive
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA Security Analytics - LIVE Test Connection Failed - Certificate is signed by an untrusted issuer

Article Number

000033479

Applies To

RSA Product Set: Security Analytics
RSA Product/Service Type: SA Core Appliance
RSA Version/Condition: 10.5.x, 10.6.x
Platform: CentOS
O/S Version: 6

 

Issue

SA Server cannot connect to cms.netwitness.com over port 443. When clicking "Test Connection" in Live Account, the user gets "Test connection failed" error as below:

Image descriptionImage description 

Live account credentials are verified via https://cms.netwitness.com, and cms.netwitness.com is also resolved to correct IP.

Using curl command to test connection to cms.netwitness.com, curl error code 60 is thrown out - Peer certificate cannot be authenticated with known CA certificate. Below is sample curl command output:
  

# curl -v https://<useraccount>:<password>@cms.netwitness.com:443
* About to connect() to cms.netwitness.com port 443 (#0)
*   Trying 69.195.204.202... connected
* Connected to cms.netwitness.com (69.195.204.202) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Certificate is signed by an untrusted issuer: 'E=trmis-trident@td.com,CN=TD Bank Group Internal Browsing,OU=TRMIS,O=TD Bank Group,L=Toronto,ST=Ontario,C=CA'
* NSS error -8172
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

The curl command performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might not match the domain name in the URL).

It is possible to turn off curl's verification of the certificate, using the -k (or --insecure) option.

Task

Customer certificate is used for SA and needs to be imported to /etc/pki/java/caerts for the connection to work.

Resolution

      1. Connect to the SA Server via ssh and export the certificates using the openssl command:
#openssl s_client -showcerts -connect cms.netwitness.com:443

      2. Then extract content and save the intermediate and root CA into two files.
Note: certificate is the copy of the section:

-----BEGIN CERTIFICATE-----
to
-----END CERTIFICATE-----

      3. ​Make a copy of current cacerts.
#cp /etc/pki/java/cacerts /var/tmp
 
      4. Imported these certificates into SA' cacerts
#keytool -import -alias int-ca -file <intermediatefile> -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit
#keytool -import -alias ca -file <rootcafile> -trustcacerts -keystore /etc/pki/java/cacerts -storepass changeit
 
      5. Restarted the jettysrv
#stop jettysrv
#start jettysrv

      6. Test LIVE connection again and confirm that it works.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-23 10:45 AM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.