Troubleshooting SSL certificate issues on servers

Table 1. Diagnosing and Resolving Client/Server/Certificate Configuration Issues
Client	Server	SSL Certificate installed on server	Problem	Solution
(CTE), rcleartool, or CMAPI	CCRC WAN server, installed by ClearCase® to create a new WAS profile and configured with IHS to redirect to CCRC WAN server (Server URL: https://`server_name`/ccrc)	IHS server has a key/certificate installed	Users are unable to log in. A test connection to the server with a web browser to https://`server_name`/ccrc/admin/version displays an internal error. Possible causes: `* IHS may not trust the certificate presented by the WAS profile for CCRC.`* On Windows 64-bit servers, incorrectly generated pathnames.	To diagnose and resolve the problems, refer to technote 544013.
(CTE), rcleartool, or CMAPI	CCRC WAN server via IHS or direct to WAS	Self-signed certificate installed	CTE displays a certificate error dialog box	There are two options for resolving the problem: Verify the certificate details with the WAN server administrator, then accept the certificate for the specific hostname/port (optionally storing it permanently for future sessions). Have the administrator install a new certificate into the IHS or WAN server. The certificate would be signed by a trusted certificate authority (CA). Note: There could be a charge for this service.
(CTE), rcleartool, or CMAPI	CCRC WAN server via IHS or direct to WAS	Certificate is signed by a certificate authority	CTE displays the message, `The certificate was issued by an unknown authority`.	The certificate authority is not in the default list: Recommended option: If you trust this certificate authority (perhaps it is a company-internal CA), get the root CA certificate and install it into each user's `.keystore_ClearCase` Another option: users verify certificates against details provided by the CCRC administrator, then they accept them.
(CTE), rcleartool, or CMAPI	CCRC WAN server	Any	CTE displays the message, `The certificate's name is different than the server name`.	Either correct the URL to use the hostname listed in the certificate or issue a new certificate with the correct hostname.
Base ClearCase®/ClearQuest® V2 integration (using perl triggers)	ClearQuest® Web	Certificate signed by a certificate authority	Perl triggers fail to connect with the error, `CQWebJava XML Parsing error`. If you set `CQCC_DEBUG` to 2 in the config.pl file, the extended debug information shows `certificate verify failed`. The problem could be that the issuing certificate authority is not trusted.	Create a file with a PEM-encoded copy of the trusted certificate authority's root certificate. In the trigger script's `config.pl` file, inside the ConfigureTrigger subroutine, provide the pathname to this file: `$ENV{HTTPS_CA_FILE} = "/path-to-file.pem";` and set the variable to check the certificate's hostname: `$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 1;`
Base ClearCase®/ClearQuest® V2 integration (using perl triggers)	ClearQuest® Web	Self-signed certificate	Perl triggers fail to connect with the error, `CQWebJava XML Parsing error`. If you set `CQCC_DEBUG` to 2 in the config.pl file, the extended debug information shows `certificate verify failed`. The problem could be that the issuing certificate authority is not trusted.	Create a file with a PEM-encoded copy of the trusted certificate authority's root certificate. In the trigger script's `config.pl` file, inside the ConfigureTrigger subroutine, provide the pathname to this file: `$ENV{HTTPS_CA_FILE} = "/path-to-file.pem";` and set the variable to check the certificate's hostname: `$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 1;`
Base ClearCase®/ClearQuest® V2 integration (using perl triggers)	ClearQuest® Web	Any	Perl triggers fail to connect with error `CQWebJava XML Parsing error`. If you set `CQCC_DEBUG` to 2 in the config.pl file, the extended debug information shows `certificate verify failed`. The problem could be that the certificate hostname does not match the URL.	Either correct the CQCC_SERVER value to use the hostname listed in the certificate or issue a new certificate with the correct hostname.
Change Management Integration (CMI) or Web Client Integration (UNIX/Linux)	Any supported change management server	Self-signed certificate	The error message includes the text, `self signed certificate in certificate chain`. The problem could be that the self-signed certificate is not trusted.	Either issue the certificate from a trusted CA, or trust the self-signed certificate, as follows: 1. Create a file with a PEM-encoded copy of the trusted self-signed server certificate. 2. Append this file to var/adm/ClearCase/config/cacert.pem. This certificate trusts to identify the specific server hostname.
Change Management Integration (CMI) or Web Client Integration (UNIX/Linux)	Any supported change management server	Certificate signed by a certificate authority	The error message includes the text, `self signed certificate in certificate chain`. The problem could be that the certificate authority is not trusted.	Either issue the certificate from a trusted CA, or add the certificate authority to the list of trusted CAs, as follows: Create a file with a PEM-encoded copy of the authority's root certificate. Append this file to var/adm/ClearCase/config/cacert.pem. This certificate authority trusts to sign any server certificates when using these clients.
Change Management Integration (CMI) or Web Client Integration (UNIX/Linux)	Any supported change management server	Any	The error message includes the text, `certificate subject name xxx` does not match target host name `yyy` or no alternative certificate subject name matches target host name `yyy`	Either correct the URL to use the hostname listed in the certificate or issue a new certificate with the correct hostname.
Change Management Integration (CMI) or Web Client Integration (Windows)	Any supported change management server	Self-signed certificate	The error message is `no trusted CA chain`.	Either issue the certificate from a trusted CA, or trust the self-signed certificate, as follows: Extract the server's certificate into a file (use a web browser, view the certificate, save to a file). Import the certificate into the user's certificate store. (GUI tool: `certmgr.msc`)
Change Management Integration (CMI) or Web Client Integration (Windows)	Any supported change management server	Certificate signed by a certificate authority	The error message is `no trusted CA chain`.	Either issue the certificate from a trusted CA, or add the certificate authority to the list of trusted CAs. Users must add the certificate authority to the list of trusted certificates: Obtain the certificate authority root certificate from a trusted source and add it to a file. Import the certificate into the users' certificate stores. (GUI tool: certmgr.msc).
Change Management Integration (CMI) or Web Client Integration (Windows)	Any supported change management server	Any	The error message could be either, `GSKIT_connect_step3 (hostname validation) failed` or `certificate subject name xxx` does not match target host name `yyy`
Change Management Integration (CMI) or Web Client Integration running on Windows CCRC WAN server on behalf of Web or Automatic views	Any supported change management server	Any	Various problems or errors	The CCRC WAN server administrator must ensure the change management server's certificate chain is trusted. see Secure Sockets Layer (SSL) certificate for more information.
Change Management Integration (CMI) or Web Client Integration running on UNIX/Linux CCRC WAN server on behalf of Web or Automatic views	Any supported change management server	Any	Various problems or errors	Follow the suggestions for CMI on a UNIX desktop client.

(CTE), rcleartool, or CMAPI

CCRC WAN server, installed by ClearCase® to create a new WAS profile and configured with IHS to redirect to CCRC WAN server (Server URL: https://server_name/ccrc)

IHS server has a key/certificate installed

Users are unable to log in. A test connection to the server with a web browser to https://server_name/ccrc/admin/version displays an internal error. Possible causes:

* IHS may not trust
                                the certificate presented by the WAS profile for CCRC.

* On Windows 64-bit servers, incorrectly generated pathnames.

To diagnose and resolve the problems, refer to technote 544013.

(CTE), rcleartool, or CMAPI

CCRC WAN server via IHS or direct to WAS

Self-signed certificate installed

CTE displays a certificate error dialog box

There are two options for resolving the problem:

Verify the certificate details with the WAN server administrator, then accept the certificate for the specific hostname/port (optionally storing it permanently for future sessions).
Have the administrator install a new certificate into the IHS or WAN server. The certificate would be signed by a trusted certificate authority (CA).

Note: There could be a charge for this service.

(CTE), rcleartool, or CMAPI

CCRC WAN server via IHS or direct to WAS

Certificate is signed by a certificate authority

CTE displays the message,

The certificate was issued by an
                                unknown authority

.

The certificate authority is not in the default list:

Recommended option: If you trust this certificate authority (perhaps it is a company-internal CA), get the root CA certificate and install it into each user's .keystore_ClearCase
Another option: users verify certificates against details provided by the CCRC administrator, then they accept them.

(CTE), rcleartool, or CMAPI

CCRC WAN server

Any

CTE displays the message,

The certificate's name is different
                                than the server name

.

Either correct the URL to use the hostname listed in the certificate or issue a new certificate with the correct hostname.

Base ClearCase®/ClearQuest® V2 integration (using perl triggers)

ClearQuest® Web

Certificate signed by a certificate authority

Perl triggers fail to connect with the error,

CQWebJava XML
                                Parsing error

. If you set CQCC_DEBUG to 2 in the config.pl file, the extended debug information shows certificate verify failed. The problem could be that the issuing certificate authority is not trusted.

Create a file with a PEM-encoded copy of the trusted certificate authority's root certificate. In the trigger script's config.pl file, inside the ConfigureTrigger subroutine, provide the pathname to this file:

$ENV{HTTPS_CA_FILE} = "/path-to-file.pem";

and set the variable to check the certificate's hostname:

$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 1;

Base ClearCase®/ClearQuest® V2 integration (using perl triggers)

ClearQuest® Web

Self-signed certificate

Perl triggers fail to connect with the error,

CQWebJava XML
                                Parsing error

. If you set CQCC_DEBUG to 2 in the config.pl file, the extended debug information shows certificate verify failed. The problem could be that the issuing certificate authority is not trusted.

Create a file with a PEM-encoded copy of the trusted certificate authority's root certificate. In the trigger script's config.pl file, inside the ConfigureTrigger subroutine, provide the pathname to this file:

$ENV{HTTPS_CA_FILE} = "/path-to-file.pem";

and set the variable to check the certificate's hostname:

$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 1;

Base ClearCase®/ClearQuest® V2 integration (using perl triggers)

ClearQuest® Web

Any

Perl triggers fail to connect with error

CQWebJava XML
                                Parsing error

. If you set CQCC_DEBUG to 2 in the config.pl file, the extended debug information shows certificate verify failed. The problem could be that the certificate hostname does not match the URL.

Either correct the CQCC_SERVER value to use the hostname listed in the certificate or issue a new certificate with the correct hostname.

Change Management Integration (CMI) or Web Client Integration (UNIX/Linux)

Any supported change management server

Self-signed certificate

The error message includes the text,

self signed certificate
                                in certificate chain

. The problem could be that the self-signed certificate is not trusted.

Either issue the certificate from a trusted CA, or trust the self-signed certificate, as follows: 1. Create a file with a PEM-encoded copy of the trusted self-signed server certificate. 2. Append this file to var/adm/ClearCase/config/cacert.pem. This certificate trusts to identify the specific server hostname.

Change Management Integration (CMI) or Web Client Integration (UNIX/Linux)

Any supported change management server

Certificate signed by a certificate authority

The error message includes the text,

self signed certificate
                                in certificate chain

. The problem could be that the certificate authority is not trusted.

Either issue the certificate from a trusted CA, or add the certificate authority to the list of trusted CAs, as follows:

Create a file with a PEM-encoded copy of the authority's root certificate.
Append this file to var/adm/ClearCase/config/cacert.pem. This certificate authority trusts to sign any server certificates when using these clients.

Change Management Integration (CMI) or Web Client Integration (UNIX/Linux)

Any supported change management server

Any

The error message includes the text,

certificate subject
                                    name xxx

does not match target host name yyy or no alternative certificate subject name matches target host name yyy

Either correct the URL to use the hostname listed in the certificate or issue a new certificate with the correct hostname.

Change Management Integration (CMI) or Web Client Integration (Windows)

Any supported change management server

Self-signed certificate

The error message is no trusted CA chain.

Either issue the certificate from a trusted CA, or trust the self-signed certificate, as follows:

Extract the server's certificate into a file (use a web browser, view the certificate, save to a file).
Import the certificate into the user's certificate store. (GUI tool: certmgr.msc)

Change Management Integration (CMI) or Web Client Integration (Windows)

Any supported change management server

Certificate signed by a certificate authority

The error message is no trusted CA chain.

Either issue the certificate from a trusted CA, or add the certificate authority to the list of trusted CAs. Users must add the certificate authority to the list of trusted certificates:

Obtain the certificate authority root certificate from a trusted source and add it to a file.
Import the certificate into the users' certificate stores. (GUI tool: certmgr.msc).

Change Management Integration (CMI) or Web Client Integration (Windows)

Any supported change management server

Any

The error message could be either,

GSKIT_connect_step3
                                (hostname validation) failed

or

certificate subject
                                name xxx

does not match target host name yyy

Change Management Integration (CMI) or Web Client Integration running on Windows CCRC WAN server on behalf of Web or Automatic views

Any supported change management server

Any

Various problems or errors

The CCRC WAN server administrator must ensure the change management server's certificate chain is trusted. see Secure Sockets Layer (SSL) certificate for more information.

Change Management Integration (CMI) or Web Client Integration running on UNIX/Linux CCRC WAN server on behalf of Web or Automatic views

Any supported change management server

Any

Various problems or errors

Follow the suggestions for CMI on a UNIX desktop client.