How to import certificates into an On-Premise Bridge

Search for	Example	Results
A single word	`cat`	Topics that contain the word "cat". You will also find its grammatical variations, such as "cats".
A phrase. You can specify that the search results contain a specific phrase.	`"cat food"` (quotation marks)	Topics that contain the literal phrase "cat food" and all its grammatical variations. Without the quotation marks, the query is equivalent to specifying an OR operator, which finds topics with one of the individual words instead of the phrase.

Search for	Operator	Example
Two or more words in the same topic	`AND` `and` `+` (plus symbol) `&` (ampersand)	`cat AND dog` `"cat food"+milk` `"cat food"&"dog food"`
Either word in a topic	`OR` `or` `\|` (pipe)	`cat OR dog` `cat \| dog`
Topics that do not contain a specific word or phrase	`NOT` `not` `!` (exclamation point)	`NOT cat` `! dog`
Topics that contain one string and do not contain another	`^` (caret)	`cat ^ mouse`
A combination of search types	`( )` parentheses	`cat + (dog \| mouse)` `cat \| dog + (! mouse)`

When you create an integration to Service Management Automation with a remote system that has an SSL address, the certificate of the remote server might need to be imported into the trusted keystore file of the On-Premise Bridge. The cacerts file stores public certificates of the root Certificate Authority (CA). If there is a problem with the connection between the OPB and the remote system, you can check the controller.log file of the OPB for the error defined below. If the error exists, then you may be required to follow the procedure in this section.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Find the location of the Service Management OPB controller log

The default location of the controller.log file is in the C:\Program Files\HP\On-Premise Bridge Agent\product\log\controller directory. Once the log file is located, search the log file for the HandshakeException error. If the error appears, the fully qualified domain name will be logged, which allows you to verify that the endpoint in question is indeed the one that is giving the error.

Find the location of the Service Management OPB trusted keystore

The default OPB trusted keystore file is named cacerts and is located in the C:\Program Files\HP\On-Premise Bridge Agent\product\util\3rd-party\jre\lib\security directory. The OPB has its own trusted keystore file, which should not be confused with that of any other Java installation on the machine.

Add the certificate to the trusted keystore

The java keytool utility is used to import certificates into the trusted keystore. To run the utility, open a command windows and navigate to the C:\Program Files\HP\On-Premise Bridge Agent\product\util\3rd-party\jre\bin directory. The command format is:

keytool -importcert -keystore ..\lib\security\cacerts -alias "new Alias" –file myCert.crt

In this example, the myCert.crt file is the certificate of the remote server, cacerts is the trusted keystore, and the alias is a label set for the certificate. When prompted, the default password is “changeit”.

Confirm that the certificate is present

Java uses a tool called keytool to list or import any certificates in the trusted keystore file. Using this tool allows you to list all of the certificates that were imported into the keystore.

Open a command window and navigate to the C:\Program Files\HP\On-Premise Bridge Agent\product\util\3rd-party\jre\bin directory. Run the keytool while pointing to the cacerts file. Syntax for the command is:

keytool –list –v –keystore ..\lib\security\cacerts > c:\contents.txt

The default password for the keystore is “changeit”. Once executed, a file named C:\contents.txt will list the entire content of the keystore. It is possible to search through this file using a text editor to confirm that the certificate for the remote server to confirm was loaded correctly.