HP CSA 4.0 - Marketplace Portal does not work after replacing certificate (977 Views)
Reply
Occasional Advisor
Nesib
Posts: 12
Registered: ‎01-30-2013
Message 1 of 6 (977 Views)
Accepted Solution

HP CSA 4.0 - Marketplace Portal does not work after replacing certificate

Instructions for creating self-signed certificate I used from
HP CSA Configuration Guide for Windows pdf file, from page 96 under Configure HP CSA to Use a Self-Signed Certificate:

    Step 1: Create a Keystore and Self-Signed Certificate
    # cd "C:\Program Files\Hewlett-Packard\CSA"
    # keytool -genkeypair -alias CSA -validity 365 -keyalg rsa -keysize 2048 -keystore .\jboss-as-7.1.1.Final\standalone\configuration\.keystore -storepass changeit
    - data&colon; CN=FQDN, OU=HP, O=<not HP>, L=city, ST=province, C=US

    Step 2: Export the Self-Signed Certificate
    # cd "C:\Program Files\Hewlett-Packard\CSA"
    # keytool -export -alias CSA -file C:\Temp\csa_self_signed.crt -keystore .\jboss-as-7.1.1.Final\standalone\configuration\.keystore -storepass changeit

    Step 3: Import the Self-Signed Certificate as a Trusted Certificate
    # keytool -importcert -alias CSA -file C:\Temp\csa_self_signed.crt -trustcacerts -keystore "C:\Program Files (x86)\Java\jre7\lib\security\cacerts" -storepass changeit

    Step 4: Configure the Marketplace Portal
    # vi C:\Program Files\Hewlett-Packard\CSA\portal\conf\mpp.json
    "ca": "C:/Temp/csa_self_signed.crt"

    Step 5: Configure the Web Server
    # vi C:\Program Files\Hewlett-Packard\CSA\jboss-as-7.1.1.Final\standalone\configuration\standalone.xml
    <ssl name="ssl" key-alias="CSA" password="changeit"
    certificate-key-file="C:\Program Files\Hewlett-Packard\CSA/jboss-as-7.1.1.Final/standalone/configuration/.keystore" verify-client="false"/>

    Step 6: Configure Client Browsers (Optional)
    - Microsoft Internet Explorer (it is a default browser):
    Double-click on the csa_self_signed.crt file > Install Certificate... > Next > Place all certificates in the following store
    > Browse... > select Trusted Root Certification Authorities > OK > Next > Finish > Yes

    Step 7: Test SSL Connections
    - open IE web browser and navigate to:
    https://FQDN:8444/csa

I'm able to open HP CSA portal, but when I try to open MPP it says:
    Oh no! Something went wrong...
    There was an error when trying to connect to the service.

Does anyone had this kind of problem?
Any info would be very welcome.

Occasional Visitor
carlos88
Posts: 1
Registered: ‎02-27-2014
Message 2 of 6 (947 Views)

Re: HP CSA 4.0 - Marketplace Portal does not work after replacing certificate

Those steps all look correct to me.

 

One thing to check is that for step 4, there are two "ca" lines that need to be changed:

"provider": {

  ..

  "ca":

}

 

and

 

"idmProvider" {

  "ca"

}

 

The CSA service needs to be restarted after step 5, but I suspect you've done this.

 

 

A second thing to check is look in the .../CSA/portal/logs/mpp.log file after you try to log into MPP and it returns the service unavailable error.  The specific cause of the certificate not being accepted should be in there.

 

 

Occasional Advisor
Nesib
Posts: 12
Registered: ‎01-30-2013
Message 3 of 6 (928 Views)

Re: HP CSA 4.0 - Marketplace Portal does not work after replacing certificate

Hi Carlos

About step 4, I changed "ca" attributes for "provider" and "idmProvider".
CSA services are restarted after changes I made.
In file .../CSA/portal/logs/mpp.log there is no errors.
The most 'suspicious' log in this file would be:
{"level":"info","message":"Not authenticated - redirecting for /","timestamp":"2014-02-28T15:38:04.523Z"}

And yes, it still does not work :)

Best regards, Nesib

Occasional Advisor
Nesib
Posts: 12
Registered: ‎01-30-2013
Message 4 of 6 (899 Views)

Re: HP CSA 4.0 - Marketplace Portal does not work after replacing certificate

[ Edited ]

The problem was at Step 3, here is how that should be done:

 

# keytool -import -alias CSA -file C:\Temp\csa_ss_cert.crt -trustcacerts -keystore "C:\Program Files\Hewlett-Packard\CSA\openjre\lib\security\cacerts" -storepass changeit

NOTE 1: MPP was not working because it was used "C:\Program Files (x86)\Java\jre7\lib\security\cacerts"
NOTE 2: first it is needed to remove the existing alias from the file:
# keytool -list -v -keystore "C:\Program Files\Hewlett-Packard\CSA\openjre\lib\security\cacerts" -storepass changeit
# keytool -delete -alias CSA -keystore "C:\Program Files\Hewlett-Packard\CSA\openjre\lib\security\cacerts" -storepass changeit

 

Best regards, Nesib

Frequent Visitor
Peter Grimsdale
Posts: 3
Registered: ‎03-25-2010
Message 5 of 6 (563 Views)

Re: HP CSA 4.0 - Marketplace Portal does not work after replacing certificate

We have experienced the same issue and despite following the instructions listed we still have an error and the MarketPlace is unavailable.  Error in the mpp.log is "level":"error","message":"Could not communicate with IDM server:  Error: SSL Error: DEPTH_ZERO_SELF_SIGNED_CERT\n

 

Has this been encountered ?

HP Expert
kumiisc
Posts: 15
Registered: ‎01-11-2014
Message 6 of 6 (553 Views)

Re: HP CSA 4.0 - Marketplace Portal does not work after replacing certificate

Is CSA and MPP installed on the same instance ? I, yes there is no need to change on ca attribute

 

There is no need to tinker ca attribute unless MPP on different server ?

Are you using a load blancer to redirect traffic to MPP ? if then its cert also have ot be included into mpp.jspon

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.