Troubleshooting a Secure Terracotta Server from Command Central
In case SPM is unable to connect to a secured Terracotta server refer to the Terracotta SPM logs present in <installDir>/profiles/SPM/logs. Below are some errors and scenarios you may see in the logs.
Unable to Find a Valid Certification Path to Requested Target
MonitoringImpl Checking server state failed
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
This indicates the SPM’s cacerts file doesn’t have a valid server’s certificate.
No subject alternative names present
MonitoringImpl Checking server state failed javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: No subject alternative names present
SPM uses a bind attribute of management-port which has a default value of 0.0.0.0(e.g. https://0.0.0.0:9540/tc-management-api/v2/agents/statistics/servers;names=stripe-A.0).
This exception indicates that the server certificate identity is checked against the bind attribute IP address, but it is not present in the certificate. This can be solved by adding Subject Alternate Name (SAN) at the time of creating certificate:
keytool -keystore <server-keystore> -alias <server-alias>
-genkey -keyalg RSA -ext "SAN=IP:0.0.0.0"
To change the bind attribute of a management port, refer to
Binding Ports to Interfaces.
Two Active Servers
An entry similar to the following might appear in the server log:
2013-05-17 12:10:24,805 [L2_L2:TCWorkerComm # 1_W]
ERROR com.tc.net.core.TCConnection - SSL handshake error:
unable to find valid certification path to requested target, closing connection.
If you start secured servers from SPM (for example a 2 server stripe), but they don’t assert an active-mirror status, refer to section
Two Active Servers in
Troubleshooting.
For debugging purposes, in each of the Terracotta servers' custom_wrapper.conf file (located in <installDir>/Terracotta/server/wrapper/conf) you can assign:
wrapper.java.additional.9=-Djavax.net.ssl.trustStore=""
wrapper.java.additional.10=-Dtc.ssl.trustAllCerts=true
Note:
This makes the Terracotta server trust all the incoming HTTPS connections, which is significantly less secure than having properly authorized certs.
TMC not able to connect to secured cluster after starting servers from SPM
This can happen if server's truststore is missing its TMC's certificate. Check the TMC logs for more details. You can debug this issue by following the suggested steps from the previous section.
For more information on troubleshooting secure servers, check
Troubleshooting.