Hello,

Thank you for your post.

Please let me know if you are using any proxy at the moment. We might have to import the certificates manually if there is a proxy or if there are any networking software that intercepts and serves as firewall/shapers etc..

Please try the steps below and let me know if it helps.

In some cases, Skyline VA would be in an environment with HTTPS proxy and the proxy certificate might not be trusted by the VA (e.g. self-signed, or signed by customer's CA that's not known to the VA).

In that case, you need to import the certificate(s) in the Java keystore.

The Java keystore is the /usr/java/jre-vmware/lib/security/cacerts file

Download the proxy certificate (assuming your proxy host is myproxy.acme.org and the port is 8080):

echo -n | openssl s_client -connect myproxy.acme.org:8080 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myproxy.cert

Then import the certificate in the keystore:

keytool -importcert -file myproxy.cert -keystore /usr/java/jre-vmware/lib/security/cacerts -alias "myproxy"

When asked for a password, the default one for the Java keystore is "changeit". When asked if you trust the certificate, answer "yes".You may have to restart the collector:

systemctl restart ccf-collector

Make sure you import not only the proxy certificate but also any intermediate/issuer certificates from the certificate chain if the customer has their own CA that's not recognized by the standard root certificates shipped with Java.

Sometimes the command above that saves the certificate might not work well and won 't be able to extract the certificate correctly. Also, that command will extract only the server certificate but not the whole certificate chain that you might want to also import. So, in order to work around that, here's the basic principle:

Part of the first command above is openssl s_client -connect myserver.com:443 which lists only the server certificate. You can try executing that command alone in a terminal and see its output. As you can see above, the output of that command is fed to sed to extract the text portion between

-----BEGIN CERTIFICATE-----

and

-----END CERTIFICATE-----

(those sections are included) and saves that as a certificate file (PEM format). Now, you can use the same principle to extract the whole certificate chain. The following command will list the whole certificate chain:

openssl s_client -host myserver.com -port 443 -prexit -showcerts

It will include multiple PEM sections. However it's a bit tricky to make sed extract those sections, so you'll have to do that manually: copy each separate certificate PEM between these two sections (do not forget to include them as well) and save them as separate files, then import each of them with the keytool command above. Certificate import order doesn't matter.