Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Restoring trust relationship between replication source and receiver after installing a custom certificate in InterScan Web Security Virtual Appliance (IWSVA) 6.5

    • Updated:
    • 29 May 2018
    • Product/Version:
    • InterScan Web Security Virtual Appliance 6.5
    • Platform:
    • N/A N/A
Summary

When a customized certificate for the web console of IWSVA is installed in an environment with several instances of IWSVA, the trust relationship between them is broken. This affects the configuration replication feature, because the configuration receiver needs to trust the certificate of the configuration source and vice versa for this to work.

If this is your first try registering a configuration receiver with the configuration source, the following error message will be displayed:

You are not connected to the replication source. Make sure the source's web console is accessable.

Click image to enlarge

The log file catalina.out on the receiver contains the following lines:

CCR: ReplicationReceiver: register to [IP of configuration source] error.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

If configuration replication has already been configured and you add custom web console certificate aftwerwards, you will only see the same entries in the catalina.out file, but you will not get the pop-up with the above error message.

Details
Public

To restore the trust relationship between the configuration source and the configuration receiver in order for configuration replication to work:

 
Before starting the procedure, take a snapshot of the two IWSVAs if installed on virtual machines or create a backup of the configuration (Config Backup/Restore) if installed on bare metal.
  1. On the configuration source, log on either directly or with SSH as root.
  2. Change the directory to /usr/iwss/AdminUI/jre/bin/ using the following command:

    cd /usr/iwss/AdminUI/jre/bin

  3. Enter the following command to display the hostname:

    hostname

  4. Enter the following command, replacing <hostname> with the output of the command from the previous step:

    ./keytool -export -alias tomcat-server -file <hostname>.crt -keystore /etc/iscan/AdminUI/tomcat/keystore

     
    • The default keystore password is "adminIWSS85". If that does not work, check the keystorePass for port 8443 in /var/iwss/tomcat/conf/server.xml
    • If you get the error message "keytool error: java.lang.Exception: Alias does not exist", check the name of the alias with the following command:

      /usr/iwss/AdminUI/jre/bin/keytool -v -list -keystore /etc/iscan/AdminUI/tomcat/keystore

    • If the certificate format is PKCS #12 (.p12 or .pfx), add "-storetype pkcs12" to the commands above.
  5. Copy the file <hostname>.crt from the directory /usr/iwss/AdminUI/jre/bin on the configuration source to your desktop using an SCP client such as WinSCP or an FTP client such as FileZilla in SFTP mode.
  6. Copy the file from your desktop to the directory /usr/iwss/AdminUI/jre/bin on each configuration receiver.
  7. On each configuration receiver, log on either directly or with SSH as root.
  8. Change the directory to /usr/iwss/AdminUI/jre/bin/ using the following command:

    cd /usr/iwss/AdminUI/jre/bin

  9. Change the ownership of the file <hostname>.crt with the following command (replacing <hostname>.crt with the actual filename):

    chown iscan:iscan <hostname>.crt
  10. Import the certificate into the keystore containing the trusted CA certificates on the configuration receiver with the following command (replacing <hostname>.crt with the actual filename):

    ./keytool -importcert -noprompt -keystore /usr/iwss/AdminUI/jre/lib/security/cacerts -storepass changeit -alias tomcat -file <hostname>.crt

     
    The default storepass password is "changeit"
  11. Restart the web console with the following command:

    /etc/iscan/S99IScanHttpd restart

  1. On each configuration receiver, log on either directly or with SSH as root.
  2. Change the directory to /usr/iwss/AdminUI/jre/bin/ using the following command:

    cd /usr/iwss/AdminUI/jre/bin

  3. Enter the following command to display the hostname:

    hostname

  4. Enter the following command, replacing <hostname2> with the output of the command from the previous step:

    ./keytool -export -alias tomcat-server -file <hostname2>.crt -keystore /etc/iscan/AdminUI/tomcat/keystore

     
    • The default keystore password is "adminIWSS85". If that does not work, check the keystorePass for port 8443 in /var/iwss/tomcat/conf/server.xml
    • If you get the error message "keytool error: java.lang.Exception: Alias does not exist", check the name of the alias with the following command:

      /usr/iwss/AdminUI/jre/bin/keytool -v -list -keystore /etc/iscan/AdminUI/tomcat/keystore

    • If the certificate format is PKCS #12 (.p12 or .pfx), add "-storetype pkcs12" to the commands above.
  5. Copy the file <hostname2>.crt from the directory /usr/iwss/AdminUI/jre/bin on each configuration receivers to your desktop using an SCP client such as WinSCP or an FTP client such as FileZilla in SFTP mode.
  6. On the configuration source, copy the file from your desktop to the directory /usr/iwss/AdminUI/jre/bin .
  7. On the configuration source, log on either directly or with SSH as root.
  8. Change the directory to /usr/iwss/AdminUI/jre/bin/ with the following command:

    cd /usr/iwss/AdminUI/jre/bin

  9. Change the ownership of the file <hostname2>.crt with the following command (replacing <hostname2>.crt with the actual filename):

    chown iscan:iscan <hostname2>.crt

  10. Import the certificate into the keystore containing the trusted CA certificates on the configuration source with the following command (replacing <hostname2>.crt with the actual filename):

    ./keytool -importcert -noprompt -keystore /usr/iwss/AdminUI/jre/lib/security/cacerts -storepass changeit -alias tomcat -file <hostname2>.crt

     
    • The default storepass password is "changeit".
    • If the alias already exists, you will be interrupted by the error “keytool error: java.lang.Exception: Certificate not imported,alias already exists”. In this case, change the alias “tomcat” to something else, for instance "tomcat1".
  11. Restart the web console with the following command:

    /etc/iscan/S99IScanHttpd restart

 
The following steps apply if the configuration source has been previously registered successfully with the configuration receiver. Otherwise, skip steps 1 - 4.
  1. On the web console of the configuration source go to Administration > IWSVA Configuration > Replication Configuration.
  2. In the list of replication receivers, click on the bin icon in the "Action" column for each receiver.
  3. On the web console of each configuration receiver go to Administration > IWSVA Configuration > Replication Configuration. Take note of the current settings.
  4. Change the server role to "Standalone" and click Save.
  5. On the configuration receiver, change the server role back to "Configuration receiver" and enter the following settings:

    • Management IP: IP address of the configuration source
    • Management Port: 8443, tick next to "Connect using HTTPS"
    • Administrator Account: admin (not configurable)
    • Administrator Password: password for the admin account
  6. Click Save then wait for a few minutes.
  7. On the web console of the configuration source, refresh the page by clicking Replication Configuration in the navigation bar on the left. You will now see the receiver(s) in the list.
  8. Verify that the configuration replication is working by selecting the receiver(s) and clicking on Replicate Now. Select the type of replication, click OK and then OK again when prompted. Wait for a few minutes. If "last update time" is not populated immediately, refresh the page again.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1119182
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.