HPE Community
IMC
1753835 Members
7060 Online
108806 Solutions
New Discussion юеВ

Re: IMC 7.3 E0605H05 - New SHA256 SSL-Certificate not working with any browser

 
hungryduck
Occasional Contributor

тАО11-26-2018 10:35 PM - edited тАО11-26-2018 10:43 PM

тАО11-26-2018 10:35 PM - edited тАО11-26-2018 10:43 PM

IMC 7.3 E0605H05 - New SHA256 SSL-Certificate not working with any browser

Hi Folks,

last week our ssl-certifticate from HP IMC (IMC 7.3 E0605H05  on GNU/Linux CentOS 7.5) was expired, so I've created and signed officially (German Telekom) a new certificate.

In the last years, I've handled this procedure, too, without any problems.
The steps I've done, were the following:

Generate private key:

# openssl genrsa -des3 -out imc-key.pem 2048

 

Generate a CSR:

# openssl req -batch -sha256 -new -key imc-key.pem -out imc-request.pem\
-subj '/C=DE/ST=My State/L=My City/O=My Organization/OU=My Unit/CN=host.domain.tld'

 

Bring the certificate to a compatible format for IMC/Java;

# openssl pkcs12 -inkey imc-key.pem -in cert-imc.pem -export -out imc-pfx.pfx

 

Import the certificate to IMC "newks" Java-Keystore:

# /opt/iMC/common/jre/bin/keytool -importkeystore -srckeystore discovery-pfx.pfx\
  -destkeystore newks -srcstoretype pkcs12 -deststoretype JKS -storepass IMCV500R001 -v

 

 Set alias to "imc":

# /opt/iMC/common/jre/bin/keytool -changealias -alias 1 -destalias imc -keystore newks -storepass iMCV500R001

 

All the steps are working and without any errors, finally, I've copied the news to /opt/iMC/client/security/newks.
Restarted the services and even the server, but when I try to connect to IMC, the browser says:

"Waiting for TLS-Handshake..." until timeout.

Doesn't matter, which browser I use.

Even edited the /opt/iMC/client/server.xml and followed the steps like mentioned here:
https://community.hpe.com/t5/IMC/Login-page-SSL-error-after-upgrade-to-iMC-PLAT-v7-3-E0605/td-p/7006967

I tried to import the whole certificate chain, only the server cert.
The cipher of the certificate is: SHA256 with AES
The SSL-section of the server-xml looks like this:

<!-- HTTPS Connector -->
                <Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" clientAuth="false" compressableMimeType="text/html,text/xml,text/xhtml,text/css,text/javascript,text/plain" compression="on" compressionMinSize="2048" connectionTimeout="60000" disableUploadTimeout="true" enableLookups="false" keystoreFile="security/newks" keystorePass="iMCV500R001" maxHttpHeaderSize="8192" maxPostSize="5242880" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS"/>

Do you have an further ideas?

Thanks a lot in advance!

Best regards,
Matthias

0 Kudos
3 REPLIES 3
drk787
HPE Pro

тАО11-29-2018 11:52 PM

тАО11-29-2018 11:52 PM

Re: IMC 7.3 E0605H05 - New SHA256 SSL-Certificate not working with any browser

Hi Matthias,

We may have to look into the IMC logs to know the reason for failure, can you share the IMC logs, or log a support case.

Thank You!
I am an HPE Employee

Accept or Kudo

0 Kudos
hungryduck
Occasional Contributor

тАО12-06-2018 01:47 AM - last edited on тАО12-06-2018 09:52 PM by

тАО12-06-2018 01:47 AM - last edited on тАО12-06-2018 09:52 PM by

Re: IMC 7.3 E0605H05 - New SHA256 SSL-Certificate not working with any browser

Hi @drk787,

thank you very much for your reply.
Which Logs do you need exactly?

In the /opt/iMC/client/log/ are plenty log files.
I tried to get the Tomcat Logs (I think iMC uses Apache Tomcat for Java?) to see a certificate/handshake error, but I cant't find them.

Yesterday we've updated successfully to iMC 7.3 E05P06, but the SSL certificate problem still exists.

Best regards,
Matthias

 

P.S.: At the moment we use a self-signed certifiate, this works:

# /opt/iMC/common/jre/bin/keytool -genkey -v -alias raikey -keystore newks -storepass iMCV500R001 -keypass iMCV500R001 -validity 365 -keysize 2048 -sigalg SHA256withRSA -keyalg RSA -dname "CN=host.domain.tld, OU=R&D, O=Organization, L=City, S=State, C=DE"

 

0 Kudos
spgsitsupport
Regular Advisor

тАО02-20-2019 05:28 AM

тАО02-20-2019 05:28 AM

Re: IMC 7.3 E0605H05 - New SHA256 SSL-Certificate not working with any browser

Anybody got it working?

Seb

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.