How to import certificates into an On-Premise Bridge

When you create an integration to Service Management Automation with a remote system that has an SSL address, the certificate of the remote server might need to be imported into the trusted keystore file of the On-Premise Bridge. The cacerts file stores public certificates of the root Certificate Authority (CA). If there is a problem with the connection between the OPB and the remote system, you can check the controller.log file of the OPB for the error defined below. If the error exists, then you may be required to follow the procedure in this section.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Find the location of the Service Management OPB controller log

The default location of the controller.log file is in the C:\Program Files\HP\On-Premise Bridge Agent\product\log\controller directory. Once the log file is located, search the log file for the HandshakeException error. If the error appears, the fully qualified domain name will be logged, which allows you to verify that the endpoint in question is indeed the one that is giving the error.

Find the location of the Service Management OPB trusted keystore

The default OPB trusted keystore file is named cacerts and is located in the C:\Program Files\HP\On-Premise Bridge Agent\product\util\3rd-party\jre\lib\security directory. The OPB has its own trusted keystore file, which should not be confused with that of any other Java installation on the machine.

Obtain the certificate of the remote server

In most cases, there is a company-created certificate available and the server administrator is able to send it to you. In cases where the certificate is not available, it is also possible to use a Web browser to export the certificate so that it can be imported into the OPB’s trusted keystore.

Add the certificate to the trusted keystore

The java keytool utility is used to import certificates into the trusted keystore. To run the utility, open a command windows and navigate to the C:\Program Files\HP\On-Premise Bridge Agent\product\util\3rd-party\jre\bin directory. The command format is:

keytool -importcert -keystore ..\lib\security\cacerts -alias "new Alias" –file myCert.crt

In this example, the myCert.crt file is the certificate of the remote server, cacerts is the trusted keystore, and the alias is a label set for the certificate. When prompted, the default password is “changeit”.

Confirm that the certificate is present

Java uses a tool called keytool to list or import any certificates in the trusted keystore file. Using this tool allows you to list all of the certificates that were imported into the keystore.

Open a command window and navigate to the C:\Program Files\HP\On-Premise Bridge Agent\product\util\3rd-party\jre\bin directory. Run the keytool while pointing to the cacerts file. Syntax for the command is:

keytool –list –v –keystore ..\lib\security\cacerts > c:\contents.txt

The default password for the keystore is “changeit”. Once executed, a file named C:\contents.txt will list the entire content of the keystore. It is possible to search through this file using a text editor to confirm that the certificate for the remote server to confirm was loaded correctly.