Certificate Chaining Error Fixed

Recently I was asked to integrate IBM Tivoli Netcool with an external helpdesk application, though not an uncommon scenario, it was the first time I had performed a web services integration using the IBM Tivoli Business Service Manager (V6.1) flavour of impact. So I went through the usual procedure of downloading the .wsdl file from the external helpdesk and then from that file I crafted an impact policy which would raise an incident in the helpdesk application.

However on executing the policy the following error was being displayed:-


This ‘Certificate chaining error’ was obviously preventing the incidents from being raised in the helpdesk.

This ‘Certificate chaining error’ indicates that the intermediate certificate or certificates are not installed on the server. If a certificate is not a self-signed/root certificate it requires that intermediate certificates are installed to link this certificate up to the root certificate authority.

So to fix this problem I needed to import the intermediate certificate into the correct application server trust store.
The TBSM architecture in use was split over two servers, with the TBSM data server on one server (including Impact) and Tivoli Integrated Portal on the other.  Therefore as the problem occurs when I execute the policy , it is the trust store for Impact that will require the imported certificates.
On exploring the TBSM data server the location of the trust store was:-

So to examine the trust.p12  trust store the iKeyman tool was utilised. The default password to access the trust store in question was WebAS.
From the section ‘Key database Content’  Signer Certificates was selected from the drop down box which displayed the signer certificates currently residing in the store.

There were only two signer certificates present ‘datapower and ‘ root’ .

As the certificate used by the helpdesk application is not present I needed to import the helpdesk certificate containing the certificate chain.

However, before I can import the certificate I need to export the certificate used by the helpdesk application. To export the certificate an internet browser was used,  in this case I used Mozilla Firefox 3.6.27 to export the certificates but you can use whatever browser you are most comfortable with.

The certificate in question ‘Thawte SSL CA’  was saved as file type X.509 Certificate with chain (PKCS#7).
The exported certificate was then moved to the TBSM data server and examined via java keytool. To examine the certificate the following command was used:-
Keytool –printcert –v –file /home/netcool/ThawteSSLCA.p7c
The output of the command is displayed below:-
As you can see the certificate contains both the intermediary certificate ‘Thawte SSL CA’ and the root certificate ‘thawte Primary Root CA’.

To import the certificate into the TBSM trust store (trust.p12 ) iKeyman tool was used.  The trust store at the below location was opened:-
From the section ‘Key database Content’  Signer Certificates was  again selected from the drop down box which displayed the signer certificates currently residing in the store.
To add the certificate I clicked on the ‘Add’ button and then browsed to the location of the certificate at /home/netcool . This then added  
the certificate to the ‘Signer Certificates’.

However, since the certificate imported contains the certificate chain iKeyman asks me to select the certificates for import. As I need to import both root and intermediary certificates both certificates were selected.

Once the certificates were in the store iKeyMan was closed, and the impact policy was run once more.
Success , no certificate chaining errors were displayed and the policy was successful.
To verify that the policy did indeed create the ticket I logged into the helpdesk  
and could immediately see that the incident has been created.

By clicking on the incident I can view more details of the incident I have just created via the Impact component of TBSM.

By Neil Richards

Visits: 1150