3 Replies Latest reply on Jul 13, 2018 8:33 AM by HarishV

    Network connectivity fails

    erives Lurker

      Deploying ver 1.3

       

      Network connectivity fails with the following error:

       

      sun.security.validator.ValidatorException:PKIX path building failed:

      sun.security.provider.certpath.SunCertPathBuildBuilderException: Unable to find certification path to requested target

       

      Do i still need a proxy even though we dont block outbound traffic form the appliance vlan?

        • 1. Re: Network connectivity fails
          HarishV Enthusiast
          Skyline Community 2/2VMware Employees

          Hello,

           

          Thank you for your post.

           

          Please let me know if you are using any proxy at the moment. We might have to import the certificates manually if there is a proxy or if there are any networking software that intercepts and serves as firewall/shapers etc..

           

          Please try the steps below and let me know if it helps.

           

          In some cases, Skyline VA would be in an environment with HTTPS proxy and the proxy certificate might not be trusted by the VA (e.g. self-signed, or signed by customer's CA that's not known to the VA).

          In that case, you need to import the certificate(s) in the Java keystore.

           

           

          The Java keystore is the /usr/java/jre-vmware/lib/security/cacerts file

           

           

          Download the proxy certificate (assuming your proxy host is myproxy.acme.org and the port is 8080):

          echo -n | openssl s_client -connect myproxy.acme.org:8080 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > myproxy.cert

           

           

          Then import the certificate in the keystore:

          keytool -importcert -file myproxy.cert -keystore /usr/java/jre-vmware/lib/security/cacerts -alias "myproxy"

           

           

          When asked for a password, the default one for the Java keystore is "changeit". When asked if you trust the certificate, answer "yes".You may have to restart the collector:

          systemctl restart ccf-collector

           

           

          Make sure you import not only the proxy certificate but also any intermediate/issuer certificates from the certificate chain if the customer has their own CA that's not recognized by the standard root certificates shipped with Java.

           

           

          Sometimes the command above that saves the certificate might not work well and won 't be able to extract the certificate correctly. Also, that command will extract only the server certificate but not the whole certificate chain that you might want to also import. So, in order to work around that, here's the basic principle:

           

           

          Part of the first command above is openssl s_client -connect myserver.com:443 which lists only the server certificate. You can try executing that command alone in a terminal and see its output. As you can see above, the output of that command is fed to sed to extract the text portion between

           

           

          -----BEGIN CERTIFICATE-----

           

           

          and

           

           

          -----END CERTIFICATE-----

           

           

          (those sections are included) and saves that as a certificate file (PEM format). Now, you can use the same principle to extract the whole certificate chain. The following command will list the whole certificate chain:

           

           

          openssl s_client -host myserver.com -port 443 -prexit -showcerts

           

           

          It will include multiple PEM sections. However it's a bit tricky to make sed extract those sections, so you'll have to do that manually: copy each separate certificate PEM between these two sections (do not forget to include them as well) and save them as separate files, then import each of them with the keytool command above. Certificate import order doesn't matter.

          • 2. Re: Network connectivity fails
            erives Lurker

            We have a web filter that seems to be the one blocking it.

            • 3. Re: Network connectivity fails
              HarishV Enthusiast
              VMware EmployeesSkyline Community 2/2

              Hello,

               

              Thank you for your response. Please try disabling the web filter and start the deployment again.

               

              Do let me know if you need any assistance.