IBM Support

FileNet Content Platform Engine (CPE) health pages show red for all Global Configuration Database (GCD) objects.

Troubleshooting


Problem

Loading the P8 health page shows all the domain objects as red.

Symptom

Loading the P8 health page https://MyCPEurl/P8CE/Health shows all the domain objects as red when going through a load balancer and SSL.

Cause

Using a custom certificate for communicating with CPE using Secure Socket Layer (SSL) and this was not added to the application server's trust store.

Environment

Application server trust store did not have the certificate.

Diagnosing The Problem

Able to go to a single instance of the CPE server and display the Health page with all GCD
Reviewing the application server log showed the following:


8/28/15 11:03:15:300 EDT] 0000014a SystemOut O CWPKI0022E: SSL
HANDSHAKE FAILURE: A signer with SubjectDN
"CN=filenetp8ACME.com, OU=ISD, O=ACME Inc., L=Enumclaw, ST=Washington, C=US" was sent from target host:port "filenetp8ACME:443". The signer may need to be added to
local trust store
"/opt/IBM/WebSphere855/profiles/filenet-dev-server/config/cells/filenet-dev-cell/trust.p12" located in SSL configuration alias "NodeDefaultSSLSettings" loaded from SSL configuration file "security.xml".
The extended error message from the SSL handshake exception is: "PKIX path building failed:
java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by CN=ACME Inc. Certificate Authority, OU=ACMERoot Certification Authority, O=ACME Inc., C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error".
[8/28/15 11:03:15:300 EDT] 0000014a SystemOut O
[8/28/15 11:03:15:300 EDT] 0000014a SystemOut O
[8/28/15 11:03:15:300 EDT] 0000014a SystemOut O CWPKI0428I:

Resolving The Problem

In this instance the IBM WebSphere Application Server is used:.

The signer needs to be added to the local trust store. Use the Retrieve from port option in the administrative console to retrieve the certificate and resolve the problem. If you determine that the request is trusted, complete the following steps:


  1. Log into the administrative console.

  2. Expand Security and click SSL certificate and key management. Under Configuration settings, click Manage endpoint security configurations.

  3. Select the appropriate outbound configuration to get to the (cell):filenet-dev-cell management scope.

  4. Under Related Items, click Key stores and certificates and click the CellDefaultTrustStore key store.

  5. Under Additional Properties, click Signer certificates and Retrieve From Port.

  6. In the Host field, enter filenetp8ACME.com in the host name field, enter 443 in the Port field, and filenetP8ACME.com_cert in the Alias field.

  7. Click Retrieve Signer Information.

  8. Verify that the certificate information is for a certificate that you can trust.

  9. Click Apply and Save.

[{"Product":{"code":"SSNW2F","label":"FileNet P8 Platform"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Content Engine","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.2;5.2.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21965661

Page Feedback