Environment
ZENworks Configuration Management 2017 Update 4 (ZCM)
Situation
A ZCM Zone CA remint was been performed. ZCC states that new certificates have been created, but activation will not be completed until all devices have been updated or ignored.
Jetty is not longer running on the server and therefore cannot be managed via the webpage on port 9443.
From /var/log/messages:
2020-03-30T11:17:23.093770+01:00 zcmserver01 systemd[1]: Starting Jetty Web Application Server...
2020-03-30T11:17:23.233515+01:00 zcmserver01 jetty.sh[5286]: Starting Jetty: ok Mon Mar 30 11:17:23 BST 2020
2020-03-30T11:17:23.235211+01:00 zcmserver01 systemd[1]: Started Jetty Web Application Server.
2020-03-30T11:17:25.004303+01:00 zcmserver01 jetty.sh[5286]: 2020-03-30 11:17:24.999:INFO::main: Logging initialized @1654ms
2020-03-30T11:17:25.658455+01:00 zcmserver01 jetty.sh[5286]: 2020-03-30 11:17:25.658:INFO::main: Redirecting stderr/stdout to /var/opt/novell/jetty/logs/jetty.stderrout.out
2020-03-30T11:17:39.331668+01:00 zcmserver01 systemd[1]: vabase-jetty.service: main process exited, code=exited, status=254/n/a
2020-03-30T11:17:39.402918+01:00 zcmserver01 jetty.sh[5367]: Stopping Jetty: OK
2020-03-30T11:17:39.404106+01:00 zcmserver01 systemd[1]: Unit vabase-jetty.service entered failed state.
From /var/opt/novell/jetty/logs/jetty.stderrout.out:
2020-03-27 10:34:03.036:WARN:oejuc.AbstractLifeCycle:main: FAILED SslContextFactory@36c7cbe1(/etc/opt/novell/zenworks/security/server.keystore,/etc/opt/novell/zenworks/security/server.keystore): java.io.IOException: Keystore was tampered with, or password was incorrect
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:55)
Jetty is not longer running on the server and therefore cannot be managed via the webpage on port 9443.
From /var/log/messages:
2020-03-30T11:17:23.093770+01:00 zcmserver01 systemd[1]: Starting Jetty Web Application Server...
2020-03-30T11:17:23.233515+01:00 zcmserver01 jetty.sh[5286]: Starting Jetty: ok Mon Mar 30 11:17:23 BST 2020
2020-03-30T11:17:23.235211+01:00 zcmserver01 systemd[1]: Started Jetty Web Application Server.
2020-03-30T11:17:25.004303+01:00 zcmserver01 jetty.sh[5286]: 2020-03-30 11:17:24.999:INFO::main: Logging initialized @1654ms
2020-03-30T11:17:25.658455+01:00 zcmserver01 jetty.sh[5286]: 2020-03-30 11:17:25.658:INFO::main: Redirecting stderr/stdout to /var/opt/novell/jetty/logs/jetty.stderrout.out
2020-03-30T11:17:39.331668+01:00 zcmserver01 systemd[1]: vabase-jetty.service: main process exited, code=exited, status=254/n/a
2020-03-30T11:17:39.402918+01:00 zcmserver01 jetty.sh[5367]: Stopping Jetty: OK
2020-03-30T11:17:39.404106+01:00 zcmserver01 systemd[1]: Unit vabase-jetty.service entered failed state.
From /var/opt/novell/jetty/logs/jetty.stderrout.out:
2020-03-27 10:34:03.036:WARN:oejuc.AbstractLifeCycle:main: FAILED SslContextFactory@36c7cbe1(/etc/opt/novell/zenworks/security/server.keystore,/etc/opt/novell/zenworks/security/server.keystore): java.io.IOException: Keystore was tampered with, or password was incorrect
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:55)
Resolution
When carrying out a remint a new keystore password is generated.
The SSL information for Jetty is read from: /opt/novell/common-services/etcs/jetty-ssl.xml
This file contains three passwords, for example:
<Set name="KeyStorePassword">af6b2632f4b2a8db2f21e84sg3036184</Set>
<Set name="KeyManagerPassword">af6b2632f4b2a8db2f21e84sg3036184</Set>
<Set name="TrustStorePassword">af6b2632f4b2a8db2f21e84sg3036184</Set>
Ensure these three passwords are identical, one may be different, if so update the incorrect string so they all match.
Once updated, restart Jetty: systemctl restart vabase-jetty.services
The SSL information for Jetty is read from: /opt/novell/common-services/etcs/jetty-ssl.xml
This file contains three passwords, for example:
<Set name="KeyStorePassword">af6b2632f4b2a8db2f21e84sg3036184</Set>
<Set name="KeyManagerPassword">af6b2632f4b2a8db2f21e84sg3036184</Set>
<Set name="TrustStorePassword">af6b2632f4b2a8db2f21e84sg3036184</Set>
Ensure these three passwords are identical, one may be different, if so update the incorrect string so they all match.
Once updated, restart Jetty: systemctl restart vabase-jetty.services