Installing Intermediate Certificates for Software Assistant

Page 1

Installing Intermediate Certificates for

Software Assistant

September 13, 2011

Introduction

Secure internet connections are controlled by the use of trusted certificates. When Software Assistant

(SWA) negotiates with systems within Hewlett-Packard it will not proceed without checking these

certificates to ensure a secure connection. In order for this validation to take place there must be

certificates that the system already trusts. These are the root certificate authorities (root CAs).

Recently Hewlett-Packard and VeriSign updated from 1024 bit to 2048 bit certificates. While this

provides increased security, systems may not have the correct certificates installed. SWA relies on the

Java Runtime Environment (JRE) to provide the required root CA information. At the time of this writing

the current version of the JRE does not deliver the required certificates. This document will describe

how to add them manually on an HP-UX system.

Identifying the problem

If the HP certificates are not trusted, the earliest connection attempt will fail. This will result in an error

message similar to:

ERROR: Failed to access authorization service.

This error can be seen for other reasons such as the need to specify a proxy or a local firewall blocking

access. To determine if this error is caused by a certificate issue, check to see if the JRE has the VeriSign

Class 3 Secure Server CA – G3 intermediate certificate required. To do this use the Java keytool

command to query the keystore for the exact fingerprint as shown below (HP-UX system with Java60JRE

installed):

# /opt/java6/jre/bin/keytool -list \

-keystore /opt/java6/jre/lib/security/cacerts -storepass changeit |\

grep –i –e “3C:48:42:0D:FF:58:1A:38:86:BC:FD:41:D4:8A:41:DE”

Certificate fingerprint (MD5): 3C:48:42:0D:FF:58:1A:38:86:BC:FD:41:D4:8A:41:DE

If the Certificate fingerprint is not found, use the instructions that follow to install it on your system. The

keytool command exists for both Java 1.5 and Java 6 and each version contains its own keystore. The

command above can be modified for keytool and keystore path. The password listed is the default

value.

PAGE 1
Installing Intermediate Certificates for Software Assistant September 13, 2011 Introduction Secure internet connections are controlled by the use of trusted certificates. When Software Assistant (SWA) negotiates with systems within Hewlett-Packard it will not proceed without checking these certificates to ensure a secure connection. In order for this validation to take place there must be certificates that the system already trusts. These are the root certificate authorities (root CAs).
PAGE 2
Update the Java Runtime Environment During the creation of this document the versions of the JRE available for HP-UX from http://www.hp.com/go/java are JRE 5 version 5.0.24 and JRE 6 version 6.0.12. All of the following instructions are built on those versions. It is possible that as newer versions are released no further action will be required. After updating the JRE check to see if SWA access has been restored.
PAGE 3
HSCrJfQBY9i+eaUwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJ KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6 bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4 Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y= -----END CERTIFICATE----The certificate should be placed onto the system with