Avaya Knowledge - AES 4.2.2 Local WebLM Certificate Error. Sets DMCC Service to Error Mode

Details

AES 6.3.3

AES 4.2.2 Super Patch 4 Bundled Offer. Certificate error failing with PKIX path validation failure.

WARNING: Failed to connect to WebLM server on

https://192.168.10.14:443/WebLM/LicenseServer - Problem with connection to

server: sun.security.validator.ValidatorException: PKIX path validation failed:

java.security.cert.CertPathValidatorException: signature check failed.

2013-10-30 17.19.24,890 com.avaya.licensesvc.LicenseServiceImpl setLicenseMode

WARNING: The AES License Service has detected a licensing problem - setting DMCC

license mode to ERROR.

You have 30 days to install a valid WebLM license for Application_Enablement.

[sroot@AESbon craft]# /opt/mvap/bin/mvap.sh status

ch.ecma.csta.physical.PhysicalDeviceServices : Stopped

com.avaya.cmapi.extsvc.E164ConversionServices : Stopped

SessionService : Stopped

TsapiService : Running

DapiLinkManager : Stopped

com.avaya.mvcs.proxy.ClientProxyService : Stopped

CmapiService : Stopped

LocalContextViewer : Running

ch.ecma.csta.system.SystemServices : Stopped

com.avaya.cmapi.extsvc.ServerCallControlServices : Stopped

ch.ecma.csta.system.CapabilityExchangeServices : Stopped

com.avaya.cmapi.intsvc.CstaTerminalMgr : Stopped

ch.ecma.csta.voiceunit.VoiceUnitServices : Stopped

DlgService : Running

CvlanService : Running

com.avaya.csta.tonecollection.ToneCollectionServices : Stopped

com.avaya.cs.callcontrol.CallControlSnapshot : Stopped

com.avaya.common.eventservice.EventServiceManager : Stopped

TransportService : Running

com.avaya.cmapi.callinformation.CallInformationServices : Stopped

ServiceLoader : Running

AsaiLinkManager : Running

LicenseService : Stopped

com.avaya.cmapi.extsvc.ServerLogicalDeviceFeatureServices : Stopped

com.avaya.cmapi.intsvc.CallInfoHelperServices : Stopped

Resolver : Running

com.avaya.cmapi.extsvc.ServerRegistrationServices : Stopped

com.avaya.csta.tonedetection.ToneDetectionServices : Stopped

com.avaya.csta.device.DeviceServices : Stopped

com.avaya.cmapi.extsvc.ServerSnapshotServices : Stopped

RouterService : Stopped

ch.ecma.csta.monitor.MonitoringServices : Stopped

LoggerConfigService : Running

HotDeployService : Running

com.avaya.csta.terminal.TerminalServices : Stopped

Broker : Running

com.avaya.router.Router : Stopped

LifeCycleManager : Running

Problem Clarification

CMAPI Service (DMCC) would not obtain a license from the WebLM hence the service would remain in “Error Mode” and not start.

Cause

Customer didnt install the root certificate.

The WebLM certificate was invalid. This issue is covered in PSN003211U but should not affect an AES with a local WebLM. Below is an excerpt of the faulty WebLM certificate:

[sroot@AESbon craft]# openssl s_client –connect <WebLM IP Address>:443 <--Local WebLM port

CONNECTED(00000003)

---

Certificate chain

Note: This section is left out as it pertains to protect the customer

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIE3jCCA8agAwIBAgIKR56XlQAAAAAAZTANBgkqhkiG9w0BAQUFADA6MRMwEQYK

CZImiZPyLGQBGRYDaW50MRMwEQYKCZImiZPyLGQBGRYDYm9uMQ4wDAYDVQQDEwVD

QUJPTjAeFw0xMzEwMTcwNzQ1MzRaFw0xNDA4MzExMzAwMDdaMFQxCzAJBgNVBAYT

AkJFMREwDwYDVQQHEwhCcnVzc2VsczEMMAoGA1UEChMDQk9OMQswCQYDVQQLEwJJ

VDEXMBUGA1UEAxMOYWVzYm9uLmJvbi5pbnQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A

MIGJAoGBAN+7ohyS4BsYyMZ1UlLIpgO6cPE4tPlaAMOl2B7FhxDb2VDNmHO3m9yv

/tymIf//8c70lPMQiRZEVnBFze+zUuwVP9A58mfghbRwZx0aBtTj8k603XR9z0ca

Rf6NA81NwqxGRhPcnyniUTl//OaffVVPlyYxUXyT/0ANEoNOegtTAgMBAAGjggJO

MIICSjAdBgNVHQ4EFgQUuhSS+PN4MfKWwVGRh0AfQbvnmkcwHwYDVR0jBBgwFoAU

ocmFqsiBOh4eoJxgW+LVlPMFWLwwgb0GA1UdHwSBtTCBsjCBr6CBrKCBqYaBpmxk

YXA6Ly8vQ049Q0FCT04sQ049Q0FCT04sQ049Q0RQLENOPVB1YmxpYyUyMEtleSUy

MFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9Ym9uLERD

PWludD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9

Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgbMGCCsGAQUFBwEBBIGmMIGjMIGgBggrBgEF

BQcwAoaBk2xkYXA6Ly8vQ049Q0FCT04sQ049QUlBLENOPVB1YmxpYyUyMEtleSUy

"text" 57L, 2619C

-----END CERTIFICATE-----

Note: This section is left out as it pertains to protect the customer

---

No client certificate CA names sent ßThis is informational and not an error.

---

SSL handshake has read 1830 bytes and written 314 bytes

---

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA

Server public key is 1024 bit

SSL-Session:

Protocol : SSLv3

Cipher : DHE-RSA-AES256-SHA

Session-ID: C42979C90CF2CF431F98E1448BB82AD6B953C480E0FF59D208DF150E6FED6E62

Session-ID-ctx:

Master-Key:

0E4D3DE99010F54F81DC7C13CE3A99FE7BE67D97A37270233E734F2050A93606E5EA49FFBD1610FB30F408A80AE17B81

Key-Arg : None

Krb5 Principal: None

Start Time: 1383577132

Timeout : 7200 (sec)

Verify return code: 21 (unable to verify the first certificate)

---

Error 21: X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate. No signatures could be verified because the chain contains only one certificate and it is not self-signed.

Solution

Upgrade the AES to 4.2.4 and apply Super Patch 2 which is a cumulative patch.