Issue connecting to ATM and EMS GUI.

book

Article ID: CTX228682

calendar_today

Updated On:

Description

Current versions of Chrome and FireFox browsers are now refusing access to secure (HTTPS) sites with DSA certificates. Currently, ATM and BEM GUIs use self-signed DSA certificate.

The browsers return the following error "The page you are trying to view cannot be shown because the authenticity of the received data could not be verified" as shown by the image below:

Resolution

Workarounds:

ATM versions, T3100 1.4.8 onwards
T3100 prior to 1.4.7 version
BEM version prior to 2.2.1.0.

T3100 version 1.4.8 onwards and all ATM versions

To workaround this issue, we need to use a re-generated RSA certificate.

Important Note: You should proceed by replacing the keystore file only if the ATM or BEM uses the factory default self-signed certificate. If you have acquired a formal certificate, you should not proceed with the below procedure. Should that be the case, please contact Citrix Bytemobile Customer Support.

Replacement is only needed on all ATM versions, T3100 1.4.8 onwards and BEM version prior to 2.2.1.0.

Backup the current keystore file and related configuration files on both CSMs. The files to be backed up are as follows:

/opt/bmi/platform_gui/servicemix/sslKeystore/t3100.keystore
/opt/bmi/platform_gui/servicemix/etc/jetty.xml (if exists)
/opt/bmi/platform_gui/servicemix/etc/jetty.allInterfaces.xml (if exists)
/opt/bmi/platform_gui/servicemix/etc/jetty.mgmtIP.xml (if exists)
/opt/bmi/platform_gui/servicemix/etc/org.ops4j.pax.web.cfg
/opt/bmi/platform_gui/servicemix/etc/system.properties

Replace the existing keystore file. If the file /opt/bmi/platform_gui/servicemix/etc/jetty.xml exists, do the following:
- On the active CSM, copy the attached keystore file "t3100.keystore" to the /opt/bmi/platform_gui/servicemix/sslKeystore/ directory:
```
# cp t3100.keystore /opt/bmi/platform_gui/servicemix/sslKeystore/
```
- On the active CSM, copy the 3 attached "jetty*.xml" files to the /opt/bmi/platform_gui/servicemix/etc/ directory:
```
# cp jetty*.xml /opt/bmi/platform_gui/servicemix/etc/
```
- On the active CSM, restart the SVC-GUI process:
```
# bmproc --restart SVC-GUI
```
- Now repeat the first two bullet point steps on the standby CSM only. Do not repeat the third bullet point step by restarting the SVC-GUI process again.

If you need to rollback, please restore the above backed-up files and restart SVC-GUI process.

BEM/EMS prior to 2.2.1.0

A new RSA certificate should be issued/used to solve this issue. Replacement is only needed on BEM version prior to 2.2.1.0.

IMPORTANT:

If you have acquired a formal certificate, you should not proceed with the below procedure. Should that be the case, please contact Citrix Bytemobile Customer Support.
If the file "/opt/bmi/ems/servicemix/etc/jetty.xml" does NOT exist, the current system version does not support excluding weak cipher. If weak cipher is concerned, you need to upgrade the platform to the latest version.

Backup the current keystore file and related configuration files from all the BEM nodes:

/opt/bmi/ems/servicemix/sslKeystore/keystore
/opt/bmi/ems/servicemix/etc/jetty.xml (If exists)
/opt/bmi/ems/servicemix/etc/org.ops4j.pax.web.cfg
/opt/bmi/ems/servicemix/etc/system.properties

Copy the new "jetty.xml" file at both BEM nodes and replace the current one:

[root@localhost ~]# cp jetty_v3.xml /opt/bmi/ems/servicemix/etc/jetty.xml 
cp: overwrite `/opt/bmi/ems/servicemix/etc/jetty.xml'? y
[root@localhost ~]#

Import the new keystore file attached at this KB, as mentioned above if a formal non-selfsigned certificate is been deployed before then do not proceed to the next steps.â€‹

Enter the emscli certificate mode:

[root@localhost ~]# emscli
Bytemobile Element Manager version 2.2.0.0-3031
Copyright (C) Citrix Systems, Inc. All Rights Reserved
 Type help [topic] for more information.
 Type quit or Ctrl-D to leave this console.
[root@localhost.localdomain]$ config
[root@localhost.localdomain(config)]$ certificate

Use the import command to process (as shown below) and then hit 'yes' for confirmation. The usage of the import command is "import keystore storetype storepass alias keypass", where:

keystore: the path of generated keystore file 
storetype: JKS is for generated keystore file 
storepass: the specified keystore password when generating 
alias: the specified alias when generating
keypass: the specified key password when generating

The keypass and storepass of provided keystore file is "fusion", which is an encrypted string. The alias of the provided keystore file is "BEM":

[root@localhost.localdomain(config-certificate)]$ import /root/keystore JKS fusion BEM fusion
Alias name: BEM
Creation date: Mar 18, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=BEM, OU=BEM, O=CITRIX, L=BJ, ST=BJ, C=CN
Issuer: CN=BEM, OU=BEM, O=CITRIX, L=BJ, ST=BJ, C=CN
Serial number: 7e0ceebe
Valid from: Wed Mar 18 14:38:54 CST 2015 until: Sat Mar 15 14:38:54 CST 2025
Certificate fingerprints:
         MD5:  9C:85:DA:59:1D:B1:2C:21:FC:D0:3C:D0:74:73:79:8E
         SHA1: B9:97:85:FA:B8:55:52:B3:48:1B:84:8B:A5:B1:71:6C:73:74:B3:80
         SHA256: F8:B6:D5:FF:0A:20:C0:DB:7E:4E:0E:BE:A5:43:E8:C7:97:7B:C6:51:11:DF:C7:A3:E3:5F:95:85:99:90:53:A8
         Signature algorithm name: SHA256withRSA
         Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D1 F3 83 AD 3D CC E4 F2   BD 49 68 85 48 9E B6 54  ....=....Ih.H..T
0010: 69 98 CC CE                                        i...
]
]
The keystore file to import is:/root/keystore, alias is:BEM
This operation might cause servicemix process to be restarted, do you want to proceed?(yes to continue, others to exit)
> yes
The certificate has been imported, please wait for restarting servicemix process
Restarting node 10.153.8.204 ...
servicemix: stopped
servicemix: started
Process Name          State      Pid   Up time
-------------------- -------- ------- -----------------
servicemix           RUNNING    18230  0:00:06
Restarting node 10.153.8.68 ...
servicemix: stopped
servicemix: started
Process Name          State      Pid   Up time
-------------------- -------- ------- -----------------
servicemix           RUNNING    31783  0:00:06
[root@localhost.localdomain(config-certificate)]$ quit
Exiting...

The steps above shall replicate the keystore file at both BEM nodes and restart the "servicemix" processes at both nodes.

If you need to rollback, please restore the above backed-up files except the "keystore" file, re-import the backed-up "keystore" file with the same steps above.

T3100 prior to 1.4.7

For T3100 prior to the release 1.4.7.x the only available option is to use the Firefox browser and to allow the weaker ciphers.

To do that please see the article CTX228691 and follow the steps to change the firefox settings.

IMPORTANT: For T3100 1.4.8 onwards you should apply the WA in the above ATM section.

Problem Cause

Current versions of Chrome and FireFox browsers are now refusing access to secure (HTTPS) sites with DSA certificates. Currently, ATM and BEM GUIs use self-signed DSA certificate.

Issue/Introduction

ATM, T3100 and BEM (EMS) GUIs may not be accessible when using browsers, such as the Mozilla Firefox v37 or later and Google Chrome v41 or later.

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"