User groups cannot be migrated following DP 10.03 upgrade

  • Document ID:KM03151466
  • Creation Date:25-Apr-2018
  • Modified Date:25-Apr-2018
    • Micro Focus Products:
      data protector

Archived Content: This information is no longer maintained and is provided "as is" for your convenience.

Summary

User group migration fails on DP 10.03: Groups Added 0 Duplicate Groups 0 Groups Failed 3

Question


After upgrading to DP 10.03 user groups cannot be migrated and without groups there are no users present in the DP Users context also manual add of users with the omniusers commands fails as user cannot be added without an existing group from AppServer debugs we can see the following messages:

16:54:15,459 ERROR [KeycloakClient:101:default task-131] Error in keycloakClient constructor:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

16:54:15,552 ERROR [GroupManagementImpl:75:default task-131] Error adding roles: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

               at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [jsse.jar:1.8.0_102]

              

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

               at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) [rt.jar:1.8.0_102]              

              

16:54:46,232 ERROR [GroupManagementImpl:150:default task-414] Error getting groups : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

16:54:48,088 ERROR [GroupManagementImpl:150:default task-423] Error getting groups : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

16:54:53,111 ERROR [GroupManagementImpl:150:default task-445] Error getting groups : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

16:54:54,967 ERROR [GroupManagementImpl:150:default task-455] Error getting groups : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

16:54:59,802 ERROR [GroupManagementImpl:150:default task-472] Error getting groups : sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

 

 

Answer

Issue can be resolved with the following procedure:

· Copy keystore password from “webservice.properties” file
· Rename/remove “cacerts” file located in folder “C:\Program Files\OmniBack\jre\lib\security” or “/opt/omni/jre/lib/security”
· Rename/remove “ascert.crt” file located in folder “C:\ProgramData\OmniBack\Config\server\AppServer” or “/etc/opt/omni/server/AppServer”
· Rename/remove “server.keystore/.truststore” file located in folder “C:\ProgramData\OmniBack\Config\Server\certificates\server” or “/etc/opt/omni/server/certificates/server”
· Rename/remove “client.keystore/.trustore” file located in folder “C:\ProgramData\OmniBack\Config\Server\certificates\client” or “/etc/opt/omni/server/certificates/client”
· Open CLI
· Run command:
WIN: perl "C:\Program Files\OmniBack\bin\omnigencert.pl" -server_id hostname.domain.net -server_san dns:hostname.domain.net,dns:shortname,ip:IP address -user_id "DOMAIN\Administrator" -store_password keystore_password
UNIX/Linux: perl "/opt/omni/sbin/omnigencert.pl" -server_id hostname.domain.net -server_san dns:hostname.domain.net,dns:shortname,ip:IP address -user_id "hpdp" -store_password keystore_password
· Run command to export certificate:
WIN: "C:\Program Files\OmniBack\jre\bin\keytool.exe" -noprompt -exportcert -alias "cn=ca hostname.domain.net, o=micro focus, st=md, c=us" -file "C:\ProgramData\OmniBack\Config\server\AppServer\ascert.crt" -keystore "C:\ProgramData\OmniBack\Config\server\certificates\server\server.keystore" -storepass keystore_password
UNIX/Linux: /opt/omni/jre/bin/keytool -noprompt -exportcert -alias "cn=ca hostname.domain.net, o=micro focus, st=md, c=us" -file "/etc/opt/omni/server/AppServer/ascert.crt" -keystore "/etc/opt/omni/server/certificates/server/server.keystore" -storepass keystore_password
· Run command to import certificate:
WIN: "C:\Program Files\OmniBack\jre\bin\keytool.exe" -noprompt -import -alias "cn=ca hostname.domain.net, o=micro focus, st=md, c=us" -file "C:\ProgramData\OmniBack\Config\server\AppServer\ascert.crt" -keystore "C:\Program Files\OmniBack\jre\lib\security\cacerts" -storepass changeit  -> yes, storepassword for this file is really “changeit”
UNIX/Linux: /opt/omni/jre/bin/keytool -noprompt -import -alias "cn=ca hostname.domain.net, o=micro focus, st=md, c=us" -file "/etc/opt/omni/server/AppServer/ascert.crt" -keystore "/opt/omni/jre/lib/security/cacerts" -storepass changeit  -> yes, storepassword for this file is really “changeit”
· Stop DP services
· Start DP services