https://community.hpe.com/t5/imc/imc-7-3-e0605h05-new-sha256-ssl-certificate-not-working-with-any/m-p/7027142#M4928 <P>Hi&nbsp;<SPAN>Matthias,</SPAN></P><P><SPAN>We may have to look into the IMC logs to know the reason for failure, can you share the IMC logs, or log a support case.</SPAN></P> Fri, 30 Nov 2018 07:52:39 GMT drk787 2018-11-30T07:52:39Z https://community.hpe.com/t5/imc/imc-7-3-e0605h05-new-sha256-ssl-certificate-not-working-with-any/m-p/7026704#M4918 <P>Hi Folks,</P><P>last week our ssl-certifticate from HP IMC (IMC 7.3 E0605H05&nbsp; on GNU/Linux CentOS 7.5) was expired, so I've created and signed officially (German Telekom) a new certificate.</P><P>In the last years, I've handled this procedure, too, without any problems.<BR />The steps I've done, were the following:</P><P>Generate private key:</P><PRE># openssl genrsa -des3 -out imc-key.pem 2048</PRE><P>&nbsp;</P><P>Generate a CSR:</P><PRE># openssl req -batch -sha256 -new -key imc-key.pem -out imc-request.pem\<BR />-subj '/C=DE/ST=My State/L=My City/O=My Organization/OU=My Unit/CN=host.domain.tld'</PRE><P>&nbsp;</P><P>Bring the certificate to a compatible format for IMC/Java;</P><PRE># openssl pkcs12 -inkey imc-key.pem -in cert-imc.pem -export -out imc-pfx.pfx </PRE><P>&nbsp;</P><P>Import the certificate to IMC "newks" Java-Keystore:</P><PRE># /opt/iMC/common/jre/bin/keytool -importkeystore -srckeystore discovery-pfx.pfx\ -destkeystore newks -srcstoretype pkcs12 -deststoretype JKS -storepass IMCV500R001 -v</PRE><P>&nbsp;</P><P>&nbsp;Set alias to "imc":</P><PRE># /opt/iMC/common/jre/bin/keytool -changealias -alias 1 -destalias imc -keystore newks -storepass iMCV500R001</PRE><P>&nbsp;</P><P>All the steps are working and without any errors, finally, I've copied the news to /opt/iMC/client/security/newks.<BR />Restarted the services and even the server, but when I try to connect to IMC, the browser says:</P><P>"Waiting for TLS-Handshake..." until timeout.</P><P>Doesn't matter, which browser I use.</P><P>Even edited the /opt/iMC/client/server.xml and followed the steps like mentioned here:<BR /><A href="https://community.hpe.com/t5/IMC/Login-page-SSL-error-after-upgrade-to-iMC-PLAT-v7-3-E0605/td-p/7006967" target="_blank">https://community.hpe.com/t5/IMC/Login-page-SSL-error-after-upgrade-to-iMC-PLAT-v7-3-E0605/td-p/7006967</A></P><P>I tried to import the whole certificate chain, only the server cert.<BR />The cipher of the certificate is: SHA256 with AES<BR />The SSL-section of the server-xml looks like this:</P><P>&lt;!-- HTTPS Connector --&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" clientAuth="false" compressableMimeType="text/html,text/xml,text/xhtml,text/css,text/javascript,text/plain" compression="on" compressionMinSize="2048" connectionTimeout="60000" disableUploadTimeout="true" enableLookups="false" keystoreFile="security/newks" keystorePass="iMCV500R001" maxHttpHeaderSize="8192" maxPostSize="5242880" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS"/&gt;</P><P>Do you have an further ideas?</P><P>Thanks a lot in advance!</P><P>Best regards,<BR />Matthias</P> Tue, 27 Nov 2018 06:43:55 GMT https://community.hpe.com/t5/imc/imc-7-3-e0605h05-new-sha256-ssl-certificate-not-working-with-any/m-p/7026704#M4918 hungryduck 2018-11-27T06:43:55Z https://community.hpe.com/t5/imc/imc-7-3-e0605h05-new-sha256-ssl-certificate-not-working-with-any/m-p/7027142#M4928 <P>Hi&nbsp;<SPAN>Matthias,</SPAN></P><P><SPAN>We may have to look into the IMC logs to know the reason for failure, can you share the IMC logs, or log a support case.</SPAN></P> Fri, 30 Nov 2018 07:52:39 GMT https://community.hpe.com/t5/imc/imc-7-3-e0605h05-new-sha256-ssl-certificate-not-working-with-any/m-p/7027142#M4928 drk787 2018-11-30T07:52:39Z https://community.hpe.com/t5/imc/imc-7-3-e0605h05-new-sha256-ssl-certificate-not-working-with-any/m-p/7027738#M4937 <P>Hi <a href="https://community.hpe.com/t5/user/viewprofilepage/user-id/1332817">@drk787</a>,<SPAN class="UserName lia-user-name lia-user-rank-HPE-Pro lia-component-message-view-widget-author-username"><A href="https://community.hpe.com/t5/user/viewprofilepage/user-id/1332817" target="_self"><SPAN class=""><BR /></SPAN></A></SPAN></P> <P>thank you very much for your reply.<BR />Which Logs do you need exactly?</P> <P>In the /opt/iMC/client/log/ are plenty log files.<BR />I tried to get the Tomcat Logs (I think iMC uses Apache Tomcat for Java?) to see a certificate/handshake error, but I cant't find them.</P> <P>Yesterday we've updated successfully to iMC 7.3 E05P06, but the SSL certificate problem still exists.</P> <P>Best regards,<BR />Matthias</P> <P>&nbsp;</P> <P>P.S.: At the moment we use a self-signed certifiate, this works:</P> <PRE># /opt/iMC/common/jre/bin/keytool -genkey -v -alias raikey -keystore newks -storepass iMCV500R001 -keypass iMCV500R001 -validity 365 -keysize 2048 -sigalg SHA256withRSA -keyalg RSA -dname "CN=host.domain.tld, OU=R&amp;D, O=Organization, L=City, S=State, C=DE"</PRE> <P>&nbsp;</P> Fri, 07 Dec 2018 05:52:02 GMT https://community.hpe.com/t5/imc/imc-7-3-e0605h05-new-sha256-ssl-certificate-not-working-with-any/m-p/7027738#M4937 hungryduck 2018-12-07T05:52:02Z https://community.hpe.com/t5/imc/imc-7-3-e0605h05-new-sha256-ssl-certificate-not-working-with-any/m-p/7035442#M5020 <P>Anybody got it working?</P><P>Seb</P> Wed, 20 Feb 2019 13:28:11 GMT https://community.hpe.com/t5/imc/imc-7-3-e0605h05-new-sha256-ssl-certificate-not-working-with-any/m-p/7035442#M5020 spgsitsupport 2019-02-20T13:28:11Z