UCS Manager 2.0(1t): Failed to validate certificate. Certificate

Unanswered Question
Jan 9th, 2012

Hi,

I have 4 UCS B230M1 Blades and since update to 2.0(1) from 1.4(3q), I can't lauch UCS Manager, java throws the exception: "Certificate has been revoked"

It seems that the certificate used to sign the java code has been revoked, so this is a very important security exception.

How can I solve it?

Nowadays, if I want to run the ucs manager, I must to run the "java control pannel" and uncheck

  - Check certificates for revocation using CRLs

  - Enable Online certificate validation

Here you have the exception details:

un.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked

    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:289)

    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:263)

    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:173)

    at sun.security.validator.Validator.validate(Validator.java:218)

    at sun.security.validator.Validator.validate(Validator.java:187)

    at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(TrustDecider.java:601)

    at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(AppPolicy.java:268)

    at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(LaunchDownload.java:1825)

    at com.sun.javaws.LaunchDownload.checkSignedResources(LaunchDownload.java:1508)

    at com.sun.javaws.Launcher.prepareResources(Launcher.java:1232)

    at com.sun.javaws.Launcher.prepareAllResources(Launcher.java:621)

    at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:327)

    at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:199)

    at com.sun.javaws.Launcher.launch(Launcher.java:116)

    at com.sun.javaws.Main.launchApp(Main.java:416)

    at com.sun.javaws.Main.continueInSecureThread(Main.java:248)

    at com.sun.javaws.Main$1.run(Main.java:110)

    at java.lang.Thread.run(Thread.java:662)

Caused by: java.security.cert.CertPathValidatorException: Certificate has been revoked

    at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)

    at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:328)

    at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)

    at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)

    at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:275)

    ... 17 more



Thanks for your help.


I have this problem too.
2 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
padramas Mon, 01/09/2012 - 04:39

Hello Maurici,

What is OS and Java version do you have on the system from where you are trying to launch UCSM ?

Did you try launching UCSM from different system ?

Do you use third party certs or self-signed certs on FI ?

scope security

show keyring detail

Look out for Validity>  Not After  field.

Has it expired ?

Padma

maugarta.cisco Tue, 01/10/2012 - 00:50

Hello padramas,

I have tried it with windows 7 and gnu/linux:

- Windows 7 java version =  "1.6.0_25"

- Gnu/Linux java version = "1.6.0_26"

I'm using "Keyring Default".

I have regenerated the default key ring (scope security ...), but this hasn't solved the problem.

After regenerating and cleaning certificates in my java runtime, the first time I lauch "ucs manager" it throws this warning:

But the problem hasn't been solved. The java application throws the exception "Certificate has been revoked"

The problem is with the certificate used to sign the code, not used for SSL connections to the UCS.

Thanks for your help.

saleem.roumaldaro Tue, 01/10/2012 - 09:54

Hi Padma,

Thanks , will certainly give it a try.

Saleem Roumaldaro

Service Consultant

Softchoice Corporation

Direct:905 847 6800 ext. 5334

Toll free: 888 436 5555

Fax: 905 847 6584

padramas Tue, 01/10/2012 - 08:29

Maurici,

Not sure why CRL verification and online verification are not enabled in my Java preferences by default ( Fedora 14 , Sun Java v6 U 24 ) or test machine W2K8 with Java v6 Update 30

If I enable it, UCSM fails to launch as the trust certs in the chain ( Verisign ) used by Cisco cert have been revoked.

http://www.verisign.com/repository/crl.html

I will check it out with the development team and will get back to you.

HTH

Padma

padramas Wed, 01/18/2012 - 19:39

Maurici,

With this defect, we have replaced the certificate used for signing the jars application.

Once it completes the testing, it would be integrated in next patch release.

Padma

danjermyft Thu, 01/19/2012 - 11:13

Hi,

I've also been experiencing this issue using the UCS PE appliance, and have spent quite some time trying to resolve what seemed like a local certificate issue.  Can you confirm when the next release of that will be available with this patch?

Also, is there an easy/quicker way to work around this issue without having to redeploy the PE appliance?

The instructions to regenerate a self-signed certificate seem quite involved. Can you advise on the specific proceedure that is required? Is there a way to do this without having to submit to Verisign?

Finally, why would the certificate be revoked? Is the issue with Verisign or the certificates supplied with the PE appliance.

Many Thanks in advance for your help.

Dan

padramas Thu, 01/19/2012 - 18:56

Dan,

The java application uses a Cisco certificate for which the public root certificate is provided by Verisign. The intermediate  trust certs ( which are Verisign certs ) in the chain has been revoked by Verisign.

http://www.verisign.com/repository/crl.html

As a resolution, we use a new certificate signed by Verisign where the trust certs are still valid.

If you are observing the same exact error message with UCSPE, you can disable Enable CRL verification configuration option in the Java settings on the client system.

Regeneration of the self-signed cert is not required as it is used for SSL ( https ) connectivity and not for the java application.

Hope I was able to clarify your concerns.

Padma

danjermyft Fri, 01/20/2012 - 04:38

Many Thanks Padma,

However none of the workarounds suggested enable me to launch the Java App. I am using OSX Lion.

If I choose to disable the Java Preference "Enable online certificate validation" then I get "Cannot Validate Certificate".

If this preference is enabled then I get "Certificate has been revoked".  In both instances I have the Java Preference "Check certificates for revocation using Certificate Revocation Lists (CRLs)" disabled.

This behaviour does not change even if I change the setting in Keychain Access Preferences to turn CRL to 'Off'.

I attach the screenshots of this for your clarification:

I understand then that this is the fault of Verisign, but would really appreciate a way to overcome this on my machine. Please advise what can be done. Many Thanks.

Dan

padramas Fri, 01/20/2012 - 05:05

Dan,

For OSX, please change both CRL and OCSP checking to off under Keychain>Preferences>Certificates and let us know the outcome.

Padma

danjermyft Fri, 01/20/2012 - 05:59

Thanks for the suggestion, I tried that too with no success I'm afraid.

There doesn't seem to be any combination of settings to turn this off as far as I can see.

Any other ideas?

Dan

padramas Fri, 01/20/2012 - 06:34

Dan,

What is the exact error message that you receive while trying to access UCS PE via web browser ?

Have tried from system running different OS ?

Padma

danjermyft Fri, 01/20/2012 - 07:35

Hi Padma,

Yes I'm sure it's an OS specific thing - I've seen several posts from OSX Lion users stating they've experienced issues with Certificates. On a Windows client it is possible to 'ignore' the certificate discrepancy, but not from the mac.

The message that appears is as follows:

Clicking Details brings up much the same information as Maurici experienced earlier in the thread.

Namely:

sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Certificate has been revoked

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:289)

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:263)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:173)

at sun.security.validator.Validator.validate(Validator.java:218)

at sun.security.validator.Validator.validate(Validator.java:187)

at com.sun.deploy.security.TrustDecider.isAllPermissionGranted(TrustDecider.java:613)

at com.sun.javaws.security.AppPolicy.grantUnrestrictedAccess(AppPolicy.java:268)

at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(LaunchDownload.java:1825)

at com.sun.javaws.LaunchDownload.checkSignedResources(LaunchDownload.java:1508)

at com.sun.javaws.Launcher.prepareResources(Launcher.java:1276)

at com.sun.javaws.Launcher.prepareAllResources(Launcher.java:629)

at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:335)

at com.sun.javaws.Launcher.prepareToLaunch(Launcher.java:235)

at com.sun.javaws.Launcher.launch(Launcher.java:124)

at com.sun.javaws.Main.launchApp(Main.java:451)

at com.sun.javaws.Main.continueInSecureThread(Main.java:283)

at com.sun.javaws.Main$1.run(Main.java:116)

at java.lang.Thread.run(Thread.java:680)

Caused by: java.security.cert.CertPathValidatorException: Certificate has been revoked

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)

at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:328)

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:275)

... 17 more

The Main error being identified as  'Certificate has been revoked'!

Any other thoughts?

While I can jump onto another box in the interim, not being able to manage from an OSX client will cause an increasing problem for us as a business.

Many Thanks again / Dan

padramas Fri, 01/20/2012 - 08:58

Dan,

I missed your Java preferences configuration.

We need to disable " Enable online certificate validation " too.

It should resolve it.

But keep in mind, this is system wide config and it will not check for other online certs.

Padma

mbanks@dtint.com Tue, 02/14/2012 - 10:35

Is this issue going to be fixed any time soon for CIMC? All of our new UCS C2x0 boxes that have come with 1.4(2) exhibit this same cert problem. Fortunately, I don't think our new C460 M2's have exhibited this issue yet, but it may be because they came with an older firmware.

danjermyft Thu, 02/16/2012 - 04:41

That did resolve it, Many Thanks Padma

Glad a fix has been issued. Can you confirm if fix is just for the PE

appliance at the moment or if this has been issued for the FI's also yet?

Thanks again / Dan

On 20 January 2012 16:59, padramas <

padramas Thu, 02/16/2012 - 06:17

Hello Dan,

Good that it helped you out.

It is fixed in latest UCSM version 2.0.1w.

Padma

endreu Thu, 05/03/2012 - 19:56

Hi Padma,

I'm running Cisco_UCS_Platform_Emulator_v2.0.94849.368934.7z but I'm still getting "failed to validate certificate" error. Can you please advice what steps I should take to resolve this?

padramas Thu, 05/03/2012 - 21:27

Hello,

Try disabling following Java configuration parameters from Java control panel

Advanced > Security > General

Check certificates for revocation using CRL

Enable online certificate validation

If you are using MAC OS, in addition to changing the Java preferences, change both CRL and OCSP checking to off under Keychain>Preferences>Certificates in OSX

Padma

charlesapdua Wed, 05/23/2012 - 23:17

I was having the same error.

also using OSX and this procedure solved it!

Thanks Padma.

padramas Sun, 08/25/2013 - 21:51

Hello Yuval,

Please start a new thread with the error message you observe while launching UCSM.

Padma

Actions

Login or Register to take actions

This Discussion

Posted January 9, 2012 at 4:18 AM
Stats:
Replies:28 Avg. Rating:5
Views:19005 Votes:2
Shares:0
Categories: General UCS Hardware
+

Related Content

Discussions Leaderboard