IBM Support

Unable to login to TEP portal after switch to https communication between TEP client and portal server

Troubleshooting


Problem

Unable to login to TEP portal after switch to https communication between TEP client and portal server and receiving  the below error 
KFWITM392E Internal error occurred during login

Symptom

Customer see the below error message when they try to login to TEP portal
image
after further looking at TEP client log, found this error
5c4f79b5.31880dc0-(null)Thread-33:RestDataBus,0,"RestDataBus.execute(PBasedRequest,User,Property[])") EXCEPTION: Unexpected exception from DataBus.execute()
(5c4f79b5.31880dc0-(null)Thread-33:RestDataBus,0,"RestDataBus.execute(PBasedRequest,User,Property[])") EXCEPTION: java.lang.NullPointerException
(5c4f79b5.31880dc0-(null)Thread-33:RestDataBus,0,"RestDataBus.execute(PBasedRequest,User,Property[])") nul
(5c4f79b5.31975000-(null)Thread-33:RestDataBus,0,"RestDataBus.execute(PBasedRequest,User,Property[])") java.lang.NullPointerException
    at com.ibm.TEPS.REST.Client.RestDataBus.execute(RestDataBus.java:818)
    at com.ibm.TEPS.REST.Client.RestDataBus.executeRequest(RestDataBus.java:401)
    at com.ibm.TEPS.REST.Client.RestDataBus.executeRequest(RestDataBus.java:282)
    at com.ibm.TEPS.REST.Client.QueryModelRestMgr.executeRequest(QueryModelRestMgr.java:238)
    at candle.fw.model.PBasedRequest.execute(PBasedRequest.java:894)
    at candle.fw.model.PBasedRequest.execute(PBasedRequest.java:869)
    at candle.fw.pres.Workplace.authorize(Workplace.java:1298)
    at candle.fw.pres.Workplace.authorize(Workplace.java:1173)
    at candle.fw.pres.dialogs.LogonDialog.processOK(LogonDialog.java:507)
    at candle.fw.pres.dialogs.LogonDialog$3.run(LogonDialog.java:330
(5c4f79b5.31975000-(null)Thread-33:Workplace,0,"Workplace.authorize(Object,Component,boolean)") EXCEPTION: Unexpected Request Exception: KFWITM220E Request failed during execution.
(5c4f79b5.31975000-(null)Thread-33:Workplace,0,"Workplace.authorize(Object,Component,boolean)") EXCEPTION: User has been authorized
(5c4f79b5.31a69240-(null)Thread-33:LogonDialog,0,"LogonDialog.processOK()") EXCEPTION: Unable to Authorize User: candle.fw.util.FailedOperationException
also, after further looking at ($candlehome/$binarch/iu/ihs/Plugins/logs/ITMWebServer/http_plugin.log) and found this error

[28/Jan/2019:16:52:16.63687] 0000d997 02777910 - ERROR: ESI: getResponse: failed to get response: rc = 2
[28/Jan/2019:16:52:16.63688] 0000d997 02777910 - ERROR: ws_common: websphereHandleRequest: Failed to handle request
[28/Jan/2019:16:52:33.16356] 0000d920 02d77910 - ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414) PARTNER CERTIFICATE DN=CN=$hostname,OU=ITMCell,OU=ITMNode,O=IBM,C=US, Serial=00:f6:06:46:34:2c:0a
[28/Jan/2019:16:52:33.16360] 0000d920 02d77910 - ERROR: ws_common: websphereGetStream: Could not open stream
[28/Jan/2019:16:52:33.16361] 0000d920 02d77910 - ERROR: ws_common: websphereExecute: Failed to create the stream
[28/Jan/2019:16:52:33.16362] 0000d920 02d77910 - ERROR: ws_common: websphereHandleRequest: Failed to execute the transaction to 'ITMNode_ITMServer'on host '$hostname.avisbudget.com'; will try another one
[28/Jan/2019:16:52:33.16363] 0000d920 02d77910 - ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find an app server to handle this request

Cause

The cause for the above error is, due to mismatch of root and default certificate in TEPS keystore ($candlehome/keyfiles/keyfile.kdb) and eWAS keystore (trust.p12/key.p12)

Environment

all environment

Diagnosing The Problem

Switch the http communication between TEP client and Portal server to https communication 

Resolving The Problem

In order for the https communication between TEP client and Portal server to work seamlessly, the  root and default certificate in TEPS keystore ($candlehome/keyfiles/keyfile.kdb) and eWAS keystore (trust.p12/key.p12) must match. 
How to verify the certificate ( i used linux as example)
set up the environment

export LD_LIBRARY_PATH=/opt/IBM/ITM/lx8266/gs/lib64:$LD_LIBRARY_PATH

go to /opt/IBM/ITM/lx8266/gs/bin directory

then execute the following command and verify the serial number of the root/default certificates

TEPS keystore:

./.gsk8capicmd_64 -cert -details -stashed -label root -db /opt/IBM/ITM/keyfiles/keyfile.kdb

./gsk8capicmd_64 -cert -details -stashed -label default -db /opt/IBM/ITM/keyfiles/keyfile.kdb

eWAS Keystore

./gsk8capicmd_64 -cert -details -pw WebAS -type pkcs12 -label root -db /opt/IBM/ITM//lx8266/iw/profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/trust.p12

./gsk8capicmd_64 -cert -details -pw WebAS -type pkcs12 -label default -db /opt/IBM/ITM//lx8266/iw/profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/key.p12

if you found a mismatch between the certificates, import the certificate from eWAS to TEPS keystore. Use the below URL to perform the operation. Please take a back up of TEPS keystore ($candlehome/keyfiles) before importing the certificate from eWAS keystore

https://www.ibm.com/support/knowledgecenter/en/SSTFXA_6.3.0.2/com.ibm.itm.doc_6.3fp2/adminuse/security_ewascertificate.htm

example:

Delete the existing root and default certificate before importing since you may want to use the same label. The command won't overwrite the existing certificate.

NOTE: please take a backup of entire ketstore directory $candlehome/keyfiles before performing the below operation

./gsk8capicmd_64 -cert -delete -db /opt/IBM/ITM/keyfiles/keyfile.kdb -stashed -label root

./gsk8capicmd_64 -cert -import -db /opt/IBM/ITM//lx8266/iw/profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/trust.p12 -pw WebAS -type pkcs12 -label root -target /opt/IBM/ITM/keyfiles/keyfile.kdb  -target_pw IBM61TIV -target_type cms -new_label root

./gsk8capicmd_64 -cert -delete -db /opt/IBM/ITM/keyfiles/keyfile.kdb -stashed -label default

./gsk8capicmd_64 -cert -import -db /opt/IBM/ITM//lx8266/iw/profiles/ITMProfile/config/cells/ITMCell/nodes/ITMNode/key.p12 -pw WebAS -type pkcs12 -label default -target /opt/IBM/ITM/keyfiles/keyfile.kdb  -target_pw IBM61TIV -target_type cms -new_label default

Please always consult with IBM Support before performing the above commands.

Switching the http to https communication between TEP and TEP portal is not scope of this technote

but, here are the steps to switch to https protocol
5-step process
1 .Edit the $CANDLEHOME/config/tep.jnlpt file.
Change http://$HOST$:$PORT$/ to
              https://$HOST$:15201
Add these to custom section:
between
   <!-- Custom parameters -->
    <!-- /Custom parameters -->
<property name="jnlp.tep.connection.protocol" value="https"/>
<property name="jnlp.cnp.http.url.port" value="15201"/>
<property name="jnlp.cnp.http.url.protocol" value="https"/>
2. Edit the $CANDLEHOME/config/component.jnlpt file
Change
codebase="http://$HOST$:$PORT$/"
with
codebase="https://$HOST$:15201/"
3. Reconfigure TEP browser client using ‘itmcmd config -A cw’
or
 from windows MTEMS (Manage Tivoli Enterprise Monitoring services) windows
4. Clear Java cache at the TEP client by following this...
Delete the entire java directory
C:\Users\<users>\AppData\LocalLow\<java provider>\Java
Example:
C:\Users\ragus\AppData\LocalLow\ibm\Java
Remember, the AppData directory is hidden, but if you type the above path in the windows explorer address bar, the directory is shown. If you are unable to delete the directory, you may need to close all the open browsers. Sometimes, you may need to reboot the server.
5. Execute the java client
     cd to C:\Program Files (x86)\Java\jre1.8.0_112\bin> or whatever the java client you are using.
      javaws https://<teps server>:15201/tep.jnlp
example
javaws https://hostname.rtp.raleigh.ibm.com:15201/tep.jnlp

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"All editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
01 February 2019

UID

ibm10869732

Page Feedback