After upgrade to Data Protector 10, application server service/daemon does not start.

  • KM03076734
  • 19-Jan-2018
  • 19-Jan-2018

Summary

Entries in the server.log file contain warnings about failures to register service with “java.lang.NullPointerException” and “IOException”. Problem is related to certificates: - “cacerts” (C:\Program Files\OmniBack\jre\lib\security or /opt/omni/jre/lib/security) - “ascert.crt” (C:\ProgramData\OmniBack\Config\server\AppServer or /etc/opt/omni/server/AppServer) - “server.keystore and server.truststore” (C:\ProgramData\OmniBack\Config\Server\certificates\server or /etc/opt/omni/server/certificates/server) - “client.keystore and client.truststore” (C:\ProgramData\OmniBack\Config\Server\certificates\client or /etc/opt/omni/server/certificates/client) - Issue occurs if these files contain mismatched certificates, certificate files do not exist or “hpdp” user cannot read them.

Error

SYMPTOMS

After upgrade to DP 10, application server does not start.

Server.log file contains entries:

-        WARN  [com.hp.im.jce.serviceregistry.ServiceRegistrationHandler] (Timer-6) Failed to register service ServiceDescription [id=null, name=dp-loginprovider, version=1.1.0, properties=null, url=https://hostname.domain.net:7116/dp-loginprovider/restws, expiresAt=null]: java.lang.NullPointerException

-        WARN  [com.hp.im.jce.serviceregistry.ServiceRegistrationHandler] (Timer-6) Failed to register service ServiceDescription [id=null, name=dp-loginprovider, version=1.1.0, properties=null, url=https://hostname.domain.net:7116/dp-loginprovider/restws, expiresAt=null]: IOException

SCOPE

All supported Data Protector CM platforms from Data Protector 10.00 on.

 

Cause

The Problem is related to certificates:

-        “cacerts” (C:\Program Files\OmniBack\jre\lib\security or /opt/omni/jre/lib/security)

-        “ascert.crt” (C:\ProgramData\OmniBack\Config\server\AppServer or /etc/opt/omni/server/AppServer)

-        “server.keystore and server.truststore” (C:\ProgramData\OmniBack\Config\Server\certificates\server or /etc/opt/omni/server/certificates/server)

-        “client.keystore and client.truststore” (C:\ProgramData\OmniBack\Config\Server\certificates\client or /etc/opt/omni/server/certificates/client) 

-         Issue occurs if these files contain mismatched certificates, certificate files do not exist or “hpdp” user cannot read them.

 

Fix

RESOLUTION

Remove the problematic certificate files and regenerate the certificates.

 

  1. Get keystore password from “webservice.properties” file. This is the keystore_password used below.
  2. Rename/remove existing certificates:
    1. Rename/remove “cacerts” file in directory
      Win: C:\Program Files\OmniBack\jre\lib\security
      UX: /opt/omni/jre/lib/security
    2. Rename/remove “ascert.crt” file in directory
      Win: C:\ProgramData\OmniBack\Config\server\AppServer
      UX: /etc/opt/omni/server/AppServer
    3. Rename/remove “server.keystore” and “server.truststore” file in directory
      Win: C:\ProgramData\OmniBack\Config\Server\certificates\server
      UX: /etc/opt/omni/server/certificates/server
    4. Rename/remove “client.keystore and client.truststore” file in directory
      Win: C:\ProgramData\OmniBack\Config\Server\certificates\client
      UX: /etc/opt/omni/server/certificates/client
  3. Open CLI and regenerate certificates
    1. Run command to generate certificate:
      WIN: perl "C:\Program Files\OmniBack\bin\omnigencert.pl" -server_id hostname.domain.net -user_id "DOMAIN\Administrator" -store_password
      keystore_password
      UX: perl "/opt/omni/sbin/omnigencert.pl" -server_id hostname.domain.net -user_id "hpdp" -store_password keystore_password
    2. Run command to export certificate:
      WIN: "C:\Program Files\OmniBack\jre\bin\keytool.exe" -noprompt -exportcert -alias "cn=ca hostname.domain.net, o=hewlett packard enterprise, st=ca, c=us" -file "C:\ProgramData\OmniBack\Config\server\AppServer\ascert.crt" -keystore "C:\ProgramData\OmniBack\Config\server\certificates\server\server.keystore" -storepass
      keystore_password
      UX: /opt/omni/jre/bin/keytool -noprompt -exportcert -alias "cn=ca hostname.domain.net, o=hewlett packard enterprise, st=ca, c=us" -file "/etc/opt/omni/server/AppServer/ascert.crt" -keystore "/etc/opt/omni/server/certificates/server/server.keystore" -storepass keystore_password
    3. Run command to import certificate:
      WIN: "C:\Program Files\OmniBack\jre\bin\keytool.exe" -noprompt -import -alias "cn=ca hostname.domain.net
      , o=hewlett packard enterprise, st=ca, c=us" -file "C:\ProgramData\OmniBack\Config\server\AppServer\ascert.crt" -keystore "C:\Program Files\OmniBack\jre\lib\security\cacerts" -storepass changeit
      UX: /opt/omni/jre/bin/keytool -noprompt -import -alias "cn=ca hostname.domain.net, o=hewlett packard enterprise, st=ca, c=us" -file "/etc/opt/omni/server/AppServer/ascert.crt" -keystore "/opt/omni/jre/lib/security/cacerts" -storepass changeit
  4. Stop DP services
  5. Start DP services

 

The data that needs to be specified as parameters by the user is marked with yellow. Below is the explanation of values for parameters.

-        -server_id
This is FQDN of the cell manager host, e.g. cellmanager.domain.net

-        -user_id
This is user, used for DP installation. This is usually the administrator (domain\Administrator) on the Windows systems or hpdp on Linux/UNIX systems.

-        -store_password
Keystore password from “webservice.properties” file.

-        hostname.domain.net
This is FQDN of the cell manager host, must be same as was specified in -server_id parameter