Certificate Chaining Error Fixed
Recently I was asked to integrate IBM Tivoli Netcool with an external helpdesk application, though not an uncommon scenario, it was the first time I had performed a web services integration using the IBM Tivoli Business Service Manager (V6.1) flavour of impact. So I went through the usual procedure of downloading the .wsdl file from the external helpdesk and then from that file I crafted an impact policy which would raise an incident in the helpdesk application.
This ‘Certificate chaining error’ was obviously preventing the incidents from being raised in the helpdesk.
This ‘Certificate chaining error’ indicates that the intermediate certificate or certificates are not installed on the server. If a certificate is not a self-signed/root certificate it requires that intermediate certificates are installed to link this certificate up to the root certificate authority.
So to fix this problem I needed to import the intermediate certificate into the correct application server trust store.
On exploring the TBSM data server the location of the trust store was:-
From the section ‘Key database Content’ Signer Certificates was selected from the drop down box which displayed the signer certificates currently residing in the store.
There were only two signer certificates present ‘datapower and ‘ root’ .
As the certificate used by the helpdesk application is not present I needed to import the helpdesk certificate containing the certificate chain.
However, before I can import the certificate I need to export the certificate used by the helpdesk application. To export the certificate an internet browser was used, in this case I used Mozilla Firefox 3.6.27 to export the certificates but you can use whatever browser you are most comfortable with.
The certificate in question ‘Thawte SSL CA’ was saved as file type X.509 Certificate with chain (PKCS#7).
The exported certificate was then moved to the TBSM data server and examined via java keytool. To examine the certificate the following command was used:-
To import the certificate into the TBSM trust store (trust.p12 ) iKeyman tool was used. The trust store at the below location was opened:-
To add the certificate I clicked on the ‘Add’ button and then browsed to the location of the certificate at /home/netcool . This then added the certificate to the ‘Signer Certificates’.
However, since the certificate imported contains the certificate chain iKeyman asks me to select the certificates for import. As I need to import both root and intermediary certificates both certificates were selected.
Once the certificates were in the store iKeyMan was closed, and the impact policy was run once more.
To verify that the policy did indeed create the ticket I logged into the helpdesk and could immediately see that the incident has been created.
By clicking on the incident I can view more details of the incident I have just created via the Impact component of TBSM.