Can't log into SSIM after 4.6.2 upgrade

This issue has been solved. See solution.
joe1026's picture
joe1026
November 9th, 2009

Hi, I just upgraded SSIM to 4.6.2 (Maintenance Pack 2) and when I try to log into the client I get the following message:

The notification service is not running.  This service is required for security reasons.
The application will now exit.

com.symantec.sim.rx.RXAuthException: Unable to validate session
 at com.symantec.sim.sal.auth.rx.SIMAuthManager.getNewAdminSession(SIMAuthManager.java:84)
 at com.symantec.sim.sal.auth.rx.SIMAuthManager.validateCredential(SIMAuthManager.java:216)
 at com.symantec.sim.rx.RXTcpService$WorkerTask.validateSession(RXTcpService.java:915)
 at com.symantec.sim.rx.RXTcpService$WorkerTask.handleMethodCall(RXTcpService.java:723)
 at com.symantec.sim.rx.RXTcpService$WorkerTask.run(RXTcpService.java:654)
 at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
 at java.lang.Thread.run(Thread.java:619)
Caused by: ERROR_DIRMGRAPI_PROXY_SERVER_UNAVAILABLE (1033) java.security.cert.CertificateException: Untrusted Server Certificate Chain
 at com.symantec.management.admin.client.AdminSession.sendRequest(AdminSession.java:2752)
 at com.symantec.management.admin.client.AdminSession.open(AdminSession.java:294)
 at com.symantec.management.admin.client.AdminSession.open(AdminSession.java:278)
 at com.symantec.sim.sal.auth.SesaAuthenticator.authenticate(SesaAuthenticator.java:120)
 at com.symantec.sim.sal.auth.rx.SIMAuthManager.getNewAdminSession(SIMAuthManager.java:79)

I can't log into the web console either.  There I get the message:
java.security.cert.CertificateException: Untrusted Server Certificate Chain

Any suggestions?

Filed under: , ,
0 votes
olaf's picture
olaf
1 week 6 days ago

Are you using a signed

Are you using a signed certificate?

0 votes
joe1026's picture
joe1026
1 week 6 days ago

Yup. I did 2 things but

Yup. I did 2 things but neither worked.

1) First I copied the cacert file from the SSIM box /opt/jdk/jre/lib/security to C:\Program Files\Symantec\Security Information Manager\jre\vm\lib\security (overwrite).  Closed/opened the client and web session and tried again but neither worked. 

2) Second, I copied the cacerts file and the self-signed certificate (ssim.cer) into the directoy: C:\Program Files\Symantec\Security Information Manager\jre\vm\bin.  Then I opened a command prompt (cmd) and I changed directory (cd) to that same directory.  Then I ran the command: keytool -importcert -file ssim.cer -keystore ..\lib\security\cacerts -storepass changeit.  Tried again but didn't work.

0 votes
olaf's picture
olaf
1 week 5 days ago

Did you import the CA

Did you import the CA certificate on the SSIM appliance first?
If the notificationsvc did not start on the SSIM appliance then the CA is not known on the appliance itself.
This might have happened because the Java version on the appliance got updated with MP2.
The keytool on the appliance is located in /opt/jdk/jre/bin/
 

0 votes
olaf's picture
olaf
1 week 5 days ago

You maybe can also find your

Solution

You maybe can also find your old cacerts file in /usr/Symantec/sesa-jdk-<older java version>/jre/lib/security/.
You could then copy the file over to the new version 1.6.0_13

0 votes
SOLUTION
joe1026's picture
joe1026
1 week 5 days ago

No luck yet.  Tried both, but

No luck yet.  Tried both, but still can't login.  Any way to remove the self-signed certificate altogether, if necessary?  Ever since we decided to use a certificate, it has been a pain dealing with Java...

Erorr in web interface:
java.security.cert.CertificateException: Untrusted Server Certificate Chain

Error in client:
Certificate error occured while trying to connect to the specified host.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
 at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
 at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
 at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
 at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
 at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
 at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
 at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
 at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
 at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
 at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
 at com.symantec.sim.app.SimApplication.validateIP(SimApplication.java:955)
 at com.symantec.sim.app.SimApplication$2.construct(SimApplication.java:688)
 at com.symantec.sim.uilib.util.SwingWorker$2.run(SwingWorker.java:169)
 at java.lang.Thread.run(Unknown Source)
Caused by: sun.security.validator.ValidatorException: No trusted certificate found
 at sun.security.validator.SimpleValidator.buildTrustedChain(Unknown Source)
 at sun.security.validator.SimpleValidator.engineValidate(Unknown Source)
 at sun.security.validator.Validator.validate(Unknown Source)
 at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
 at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkClientTrusted(Unknown Source)
 at com.symantec.sim.app.security.CustomX509TrustManager.checkServerTrusted(CustomX509TrustManager.java:137)

0 votes
olaf's picture
olaf
1 week 5 days ago

Did you restart all the

Did you restart all the services afterwards or reboot the box?

0 votes
joe1026's picture
joe1026
1 week 5 days ago

Ahh did everything again from

Ahh did everything again from scratch adding the reboot and this time it worked!
Just so you know for further reference I:

1) Copied the cacerts file from /usr/Symantec/sesa-jdk-1.6.0_04/jre/lib/security/ to /usr/Symantec/sesa-jdk-1.6.0_11/jre/lib/security/
2) Reboot
3) Web page worked fine, client still had certificate issues
4) Copied the cacerts file from \opt\jdk\jre\lib\security to c:\Program Files\Symantec\Security Information Manager\jre\vm\lib\security (overwrite)
5) Copied the self-signed certificate to c:\Program Files\Symantec\Security Information Manager\jre\vm\bin (ssim.cer)
6) Opened the cmd window and changed directory to c:\Program Files\Symantec\Security Information Manager\jre\vm\bin

7) Ran the command: keytool -importcert -file ssim.cer -keystore ..\lib\security\cacerts -storepass changeit

Thanks so much for your help!!

0 votes