Unable to connect to Content Server - HTTPS

Matthew_Hong

I am setting up the OTAG to connect to the CS. The HTTP connection works for me, but I am having problem with HTTPS. I configured the SSL according to the Chapter 3 of the OT Everywhere 10.0.0 Installation Guide, but keep getting the Unable to connect to Content Server error when click the "Test CS URL" button on the settings page. The response is: {"isCsOk":false,"csErrMsg":"Failed to connect to https://mh-cs10/OTCS/cs.exe","isDbOk":false}.

I am using AD Certification Services (stand-alone mode on a 2008 R2 server) to create certificates for both the CS and Tomcat. The ADCS is installed on the same server with CS in the DEV domain. The OTAG is installed on a Windows 7 PC in a different domain. I can browse to the CS (https://mh-cs10/OTCS/cs.exe) from the Win 7 PC directly (the browser shows the invalid certificate warning).

Can OTAG work with self-signed certificatess? Any suggetions?

Thanks!

Dean_Hutchinson

Typically, I have found that self-signed certs require a bit more configuration. The trusted key for the SSL site needs to be exported and then imported into the cacerts file for your JVM. (i.e. for Tomcat running on Windows and configured to use the JVM at C:\Program Files\Java\jdk1.7.0_25\jre\bin\server\jvm.dll, then you would need to import the key into the cacerts file at C:\Program Files\Java\jdk1.7.0_25\jre\lib\security). A very handy java program for this is Portecle.

John_Wilkinson1

I'm not familiar with ADCS, but in general what you need to do is use keytool to import your self-signed cert (the one used by the CS server) into your java keystore (the java used by the Gateway tomcat).

Matthew_Hong

Thank you Dean and John for your quick response. I tried to import the certificates used by the CS to Java, but still having the same problem. Here are commands I used:

keytool -import -trustcacerts -alias rootCA -file C:\new-keystore\rootca.cer -keystore "C:\Program Files\Java\jre7\lib\security\cacerts"
keytool -import -trustcacerts -alias tomcat -file C:\new-keystore\certnew.cer -keystore "C:\Program Files\Java\jre7\lib\security\cacerts"

The certificate files are exported from the IIS of the CS server. The JRE used by My Tomcat is located in "C:\Program Files\Java\jre7\". I am getting the same "Failed to Connect with Content Server" when testing the URL with https.

Is there anything I can try to get the https work? Is there a setting for verbose log for more detailed information regarding the failure?

Dean_Hutchinson

CS also uses its own JVM, located at Opentext_Home\jre. So import the cert in to CS's cacerts (i.e. Opentext_Home\jre\lib\security\cacerts).

John_Wilkinson1

Have you checked tomcat's catalina logs? There may be more information there, though most likely it will just tell you the cert is not valid. Worth checking though.

The CS jvm makes calls to the gateway, not visa versa, so it is unlikely to be involved here.

Matthew_Hong

The log shows the certificate name doesn't match with the mapping. Recreated the certificate and assigned to IIS. Everything starts to work!

Thanks!