Splunk AppDynamics

HTTP Request failing due to self-signed cert on target server

CommunityUser
Splunk Employee
Splunk Employee

We are attempting to use an HTTP Request in AppDynamics to scale up/down a VM based on business transactions.  The scaling is being done by CloudCenter.  Unfortunately, the request is not being accepted due to the CloudCenter Manager using a self-signed cert.  When testing the request, we see the following error:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Would it be possible to bypass this cert check in the AppD Controller?  We've had a similar issue with Jenkins, so we were hoping to mitigate the problem with the same solution - importing the cert into the AppD Controller keystore - but we were unable to find the java installation directory to complete the necessary steps.

This is the link we were following:

https://erikzaadi.com/2011/09/09/connecting-jenkins-to-self-signed-certificated-servers/

Labels (3)
0 Karma

Mann_Brenner
Engager

Try below steps

Choose a single format and start the uploading process. If you choose PEM, follow the steps mentioned in Scenario 1 or directly move to Scenario 2 if you have selected the PKCS#7 format. 

Scenario1

Step1:  Import the Root and Intermediate Certificates (CA bundle) by using the command given below:

keytool -import -trustcacerts -alias ca -file file.ca-bundle -keystore mykeystore.jks

Note: The alias name and keystore alias names should not be the same.

Step 2: Utilize the below-written code to upload the files after importing the SSL certificate:

keytool -import -trustcacerts -alias myalias -file file.crt -keystore mykeystore.jks

Note: The alias and keystore alias names should be the same.

Scenario2:

Step 1: Use the command given below to upload every single file in one go:

keytool -import -trustcacerts -alias myalias -file file.p7b -keystore mykeystore.jks

The alias attribute must match the alias set for your keystore.

Note: You will be prompted to enter the keystore password and ensure that the attribute – myalias, matches the alias set for your keystore. (If you have doubts, use this command: “keytool -list -v -keystore mykeystore.jks to see the alias name.)

Check this one https://cheapsslweb.com/resources/how-to-install-an-ssl-certificate-on-glassfish if you still facing the issues 

Brian_Wheeldon
Contributor

Hi Andrew,

The AppDynamics Controller is GlassFish. I found some generic instructions for installing a SSL certificate on a GlassFish appserver.

The command line to import the cert will looks something like this:

keytool -import -trustcacerts -alias s1as -file "/opt/AppDynamics/Controller/appserver/glassfish/domains/domain1/config/certnew.cer" -keystore "/opt/AppDynamics/Controller/appserver/glassfish/domains/domain1/config/keystore.jks"

Regards,

CommunityUser
Splunk Employee
Splunk Employee

We actually attempted to do this last night.  Unfortunately, following these steps results in the AppD Controller crashing.

Here are the steps we followed:

  1. Copy public.key and public.crt to the /tmp directory on the AppD machine.
  2. keytool -import -trustcacerts -alias ccm -file public.crt -keystore /usr/local/appdynamics/AppDPlatform/controller/appserver/glassfish/domains/domain1/config/keytool.jks
  3. Answer “Yes”
  4. Stop Controller
  5. Start Controller

However, once the Controller came back from the reboot, we could never get back into the GUI. The closest error we could get from the logs was:

ConfigurationChannel - Could not connect to the controller/invalid response from controller, cannot get initialization information, controller host [localhost], port[443], exception [Fatal transport error while connecting to URL [/controller/instance/0/applicationConfiguration]]

Any more thoughts?  FWIW, this is what we did on the CCM to create the cert:

  1. openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx-private-selfsigned.key -out nginx-private-selfsigned.crt
  2. Answer questions. Most importantly the Common Name question - give it the (public in this case) IP of the server in question.
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...