ZCM System Update service is not getting or finding any available updates

  • 7002329
  • 08-Jan-2009
  • 30-Mar-2020

Environment

Novell ZENworks 10 Configuration Management
ZENworks Configuration Management 11
ZENworks Configuration Management 2017
ZENworks Configuration Management 2020
Bluecoat server protecting network perimeter

Situation

Connections to Novell's update server are failing and no updates are available to the ZCM Server

In the ZCM loader-messages.log file the following errors were identified:

[Loader.SystemUpdateModule] [FINE:Error contacting NCC at https://secure-www.novell.com/...] [FINE: Error contacting NCC at https://secure-www.novell.com/...] [javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
-- followed by a Java stack dump --
[Loader.SystemUpdateModule] [FINE: Unable to get any valid system update download urls, verify that you are licensed to receive updates and that your server has access to https://secure-www.novell.com/...]

Resolution

The directions provided in the error message "verify that you are licensed to receive updates and that your server has access to [the Novell update server URL]" point to the likely problems of this nature. These possible problems have to be corrected first if they exist.

In this instance there was a Bluecoat server protecting the network's perimeter. The Bluecoat server was responding to the ZCM server's connection request with its own Certificate. The ZCM server's Java instance did not have a copy of the Bluecoat CA installed as a trusted CA.

To resolve this situation install the Bluecoat Certificate into the Java's default certificate store.

Additional Information

Complete loader-messages.log with errors and Java stack dump

[DEBUG] [10/27/08 1:00:03 PM] [] [Loader.SystemUpdateModule] [FINEST: Calling executeMethod...] [FINEST: Calling executeMethod...] [] []
[DEBUG] [10/27/08 1:00:04 PM] [] [Loader.SystemUpdateModule] [FINE: Error contacting NCC at https://secure-www.novell.com/center/regsvc/?command=register&lang=en-US&version=1.0] [FINE: Error contacting NCC at https://secure-www.novell.com/center/regsvc/?command=register&lang=en-US&version=1.0] [javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:818)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1030)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:622)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
    at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
    at org.apache.commons.httpclient.methods.StringRequestEntity.writeRequest(StringRequestEntity.java:150)
    at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:495)
    at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1973)
    at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
    at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
    at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
    at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
    at com.novell.zenworks.systemupdate.HttpHelper._executeHttpMethod(HttpHelper.java:195)
    at com.novell.zenworks.systemupdate.HttpHelper._executeHttpMethod(HttpHelper.java:244)
    at com.novell.zenworks.systemupdate.HttpHelper.executeHttpMethod(HttpHelper.java:147)
    at com.novell.zenworks.systemupdate.HttpHelper.getUrlAsString(HttpHelper.java:47)
    at com.novell.zenworks.systemupdate.SystemUpdateUtil._getSystemUpdateUrls(SystemUpdateUtil.java:430)
    at com.novell.zenworks.systemupdate.SystemUpdateUtil.getSystemUpdateUrls(SystemUpdateUtil.java:366)
    at com.novell.zenworks.loader.modules.queue.handlers.ConfiguredDownloadHandler.getSystemUpdateUrls(ConfiguredDownloadHandler.java:109)
    at com.novell.zenworks.loader.modules.queue.handlers.ConfiguredDownloadHandler.getAvailableUpdates(ConfiguredDownloadHandler.java:159)
    at com.novell.zenworks.loader.modules.queue.handlers.CheckForUpdatesHandler.processAction(CheckForUpdatesHandler.java:54)
    at com.novell.zenworks.loader.modules.queue.runner.QueueThreadWorker.processAction(QueueThreadWorker.java:193)
    at com.novell.zenworks.loader.modules.queue.runner.QueueThreadWorker.run(QueueThreadWorker.java:139)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
    at java.lang.Thread.run(Thread.java:595)
Caused by: sun.security.validator.ValidatorException: No trusted certificate found
    at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304)
    at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107)
    at sun.security.validator.Validator.validate(Validator.java:203)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
    at com.novell.zenworks.security.ssl.AcceptSpecifiedCertificateTrustManager.checkServerTrusted(AcceptSpecifiedCertificateTrustManager.java:99)
    at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
    ... 32 more
] []
[DEBUG] [10/27/08 1:00:04 PM] [] [Loader.SystemUpdateModule] [FINE: Unable to get any valid system update download urls, verify that you are licensed to receive updates and that your server has access to https://secure-www.novell.com/center/regsvc/?command=register&lang=en-US&version=1.0] [FINE: Unable to get any valid system update download urls, verify that you are licensed to receive updates and that your server has access to https://secure-www.novell.com/center/regsvc/?command=register&lang=en-US&version=1.0] [] []
[DEBUG] [10/27/08 1:00:04 PM] [] [Loader.SystemUpdateModule] [FINER: Found 0 updates for zcm;10.1] [FINER: Found 0 updates for zcm;10.1] [] []

=========================================================================================================
Adding steps to import certificate into java store on Linux.  Steps from http://grim.se/guide/jre-cert  to import certificate. Submitted by gunnar on 2 December, 2008 - 09:31

When your Java program attempts to connect to a server that has an invalid or self signed certificate, such as an application server in a development environment, you may get the following exception:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
To make your Java runtime environment trust the certificate, you need to import it into the JRE certificate store.

Step 1 - Get the certificate into your browser store
Browse to your application server using SSL. Your browser will tell you that the certificate isn't trusted and allow you to trust it, thereby placing it in the browser certificate store.
Step 2 - Export the certificate to a binary file
Your browser will have some kind of certificate manager that allows you to export or back up specific certificates to binary files. In Firefox that would be under Preferences / Advanced / Encryption / Servers. Find the certificate presented by the server and export it as a binary DER file.
Step 3 - Import the certificate into the Java Store
(ZCM 2017 Update 4 and higher you can run command to Trust Store  -  novell-zenworks-configure  -c  Start  AddExternalCAToTrustStore )
Older Zones Continue
Make sure you have write access to your JRE and  use the keytool utility to import it:
keytool -import -alias alias -keystore path-to-jre/lib/security/cacerts -file path-to-certificate-file
Example:
keytool -import -alias sunas -keystore /opt/jdk1.6/jre/lib/security/cacerts -file /home/gugrim/tmp/sunas.der
You will be prompted for the keystore password, which is by default changeit.
Also, when you connect to the server make sure you use the same name as the one set as the Subject in the certificate. You may need to add it to your host file if the server isn't reachable using this name, which may be the case for a developer server.