Loading...
Loading...
Users are unable to log in to the NetWorker Web User Interface (NWUI).The following error is observed in nwui.log: Linux: /nsr/authc/logs/nwui.logWindows (Default): C:\Program Files\EMC NetWorke\nsr\authc-server\tomcat\logs\nwui.log ERROR c.e.n.c.n.impl.GlobalApi - Failed to authenticate user <username> with the provided password on Authentication Server <NetWorker server>. javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This issue appears because of missing or incorrect emcauthtomcat certificate/signature in the NetWorker runtime cacerts file. For example, During certificate import, the following command was previously ran successfully: C:\Program Files\NRE\java\jdk-17.0.18\bin>keytool.exe -import -alias emcauthtomcat -cacerts -storepass changeit -file "C:\Program Files\EMC NetWorke\nsr\authc-server\conf\emcauthcsaml.cer" In this scenario, the issue occurs because emcauthcsaml.cer was imported into the Java cacerts truststore using the alias emcauthtomcat. NWUI expects the Tomcat authentication certificate (emcauthctomcat.cer), not the SAML certificate, to be trusted. Importing the wrong certificate results in an SSL trust chain failure, causing the PKIX path building error.
The process outlined ensures that all the certificates required for NWUI are properly set. NOTE: The process outlined returns the default self-signed certificates deployed by NetWorker, to use CA-signed certificates instead, see:NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "AUTHC" and "NWUI" (Linux)NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "AUTHC" and "NWUI" (Windows) Stop the NetWorker and NWUI services: Windows: net stop nwui net stop nsrexecd /y Linux: systemctl stop nwui nsr_shutdown Change directory to your NetWorker runtime bin directory and remove the emcauthctomcat, emcnwuimonitoring, and emcnwuiserv certificates from the NetWorker runtime cacerts keystore: Windows: PS C:\Users\Administrator> cd "C:\Program Files\NRE\java\jdk-17.0.18\bin" PS C:\Program Files\NRE\java\jdk-17.0.18\bin> PS C:\Program Files\NRE\java\jdk-17.0.18\bin> .\keytool.exe -delete -alias emcauthtomcat -keystore ..\lib\security\cacerts -storepass changeit PS C:\Program Files\NRE\java\jdk-17.0.18\bin> .\keytool.exe -delete -alias emcnwuimonitoring -keystore ..\lib\security\cacerts -storepass changeit Linux: [root@nsr ~]# cd /opt/nre/java/latest/bin/ [root@nsr ~]# ./keytool -delete -alias emcauthtomcat -keystore ../lib/security/cacerts -storepass changeit [root@nsr ~]# ./keytool -delete -alias emcnwuimonitoring -keystore ../lib/security/cacerts -storepass changeit [root@nsr ~]# ./keytool -delete -alias emcnwuiserv -keystore ../lib/security/cacerts -storepass changeit NOTE: Networker Runtime Environemtn 17.x will report "Warning: use -cacerts option to access cacerts keystore". The above commands still work on NRE 17.x; however, the "-keystore ..\lib\security\cacerts" option can be replaced with "-cacerts" instead. On Windows, the Java bin path differs depending on the Java version installed. Import the correct certificates into the Java cacerts keystore. When prompted, type `yes` to trust the certificate. Windows: PS C:\Program Files\NRE\java\jdk-17.0.18\bin> .\keytool.exe -import -alias emcauthtomcat -keystore ..\lib\security\cacerts -storepass changeit -file "C:\Program Files\EMC NetWorke\nsr\authc-server\conf\emcauthctomcat.cer" PS C:\Program Files\NRE\java\jdk-17.0.18\bin> .\keytool.exe -import -alias emcnwuimonitoring -keystore ..\lib\security\cacerts -storepass changeit -file "C:\Program Files\EMC NetWorker\nwui\monitoring\app\conf\emcnwuimonitoring.cer" NOTE: The above commands assume that the default NetWorker installation path is used. If NetWorker is installed in another location, adjust the commands for your install path. Linux: [root@nsr ~]# ./keytool -import -alias emcauthtomcat -keystore ../lib/security/cacerts -storepass changeit -file /nsr/authc/conf/emcauthctomcat.cer [root@nsr ~]# ./keytool -import -alias emcnwuimonitoring -keystore ../lib/security/cacerts -storepass changeit -file /nsr/nwui/monitoring/app/conf/emcnwuimonitoring.cer [root@nsr ~]# ./keytool -import -alias emcnwuiserv -keystore -storepass changeit -file /opt/nwui/conf/emcnwuiserv.cer Start the NetWorker and NWUI services: Windows: net start nsrexecd net start nsrd net start nwui Linux: systemctl start networker systemctl start nwui After services have started log in through the NWUI interface Authentication should complete successfully without SSL or PKIX errors.
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.