Recently I was asked to integrate IBM Tivoli Netcool with an external helpdesk application, though not an uncommon scenario, it was the first time I had performed a web services integration using the IBM Tivoli Business Service Manager (V6.1) flavour of impact. So I went through the usual procedure of downloading the .wsdl file from the external helpdesk and then from that file I crafted an impact policy which would raise an incident in the helpdesk application.
 

However on executing the policy the following error was being displayed:-
TBSM TIP2

This ‘Certificate chaining error’ was obviously preventing the incidents from being raised in the helpdesk.

This 'Certificate chaining error' indicates that the intermediate certificate or certificates are not installed on the server. If a certificate is not a self-signed/root certificate it requires that intermediate certificates are installed to link this certificate up to the root certificate authority.

So to fix this problem I needed to import the intermediate certificate into the correct application server trust store.
The TBSM architecture in use was split over two servers, with the TBSM data server on one server (including Impact) and Tivoli Integrated Portal on the other.  Therefore as the problem occurs when I execute the policy , it is the trust store for Impact that will require the imported certificates.
On exploring the TBSM data server the location of the trust store was:-

/opt/IBM/tivoli/tipv2/profiles/TBSMProfile/config/cells/TBSMCell/nodes/TBSMNode/trust.p12
So to examine the trust.p12  trust store the iKeyman tool was utilised. The default password to access the trust store in question was WebAS.
From the section ‘Key database Content’  Signer Certificates was selected from the drop down box which displayed the signer certificates currently residing in the store.
trustdefault

There were only two signer certificates present ‘datapower and ‘ root’ .

As the certificate used by the helpdesk application is not present I needed to import the helpdesk certificate containing the certificate chain.

However, before I can import the certificate I need to export the certificate used by the helpdesk application. To export the certificate an internet browser was used,  in this case I used Mozilla Firefox 3.6.27 to export the certificates but you can use whatever browser you are most comfortable with.

The certificate in question ‘Thawte SSL CA’  was saved as file type X.509 Certificate with chain (PKCS#7).
The exported certificate was then moved to the TBSM data server and examined via java keytool. To examine the certificate the following command was used:-
Keytool –printcert –v –file /home/netcool/ThawteSSLCA.p7c
The output of the command is displayed below:-
output
As you can see the certificate contains both the intermediary certificate ‘Thawte SSL CA’ and the root certificate ‘thawte Primary Root CA’.

To import the certificate into the TBSM trust store (trust.p12 ) iKeyman tool was used.  The trust store at the below location was opened:-
/opt/IBM/tivoli/tipv2/profiles/TBSMProfile/config/cells/TBSMCell/nodes/TBSMNode/trust.p12
From the section ‘Key database Content’  Signer Certificates was  again selected from the drop down box which displayed the signer certificates currently residing in the store.
To add the certificate I clicked on the 'Add' button and then browsed to the location of the certificate at /home/netcool . This then added  
the certificate to the ‘Signer Certificates’.
ThawteSSL

However, since the certificate imported contains the certificate chain iKeyman asks me to select the certificates for import. As I need to import both root and intermediary certificates both certificates were selected.
selectcert

Once the certificates were in the store iKeyMan was closed, and the impact policy was run once more.
success
Success , no certificate chaining errors were displayed and the policy was successful.
To verify that the policy did indeed create the ticket I logged into the helpdesk  
and could immediately see that the incident has been created.
incident1

By clicking on the incident I can view more details of the incident I have just created via the Impact component of TBSM.
Incident2
 

By This email address is being protected from spambots. You need JavaScript enabled to view it.

Twitter Feed

OrbData RT @OrbData: Webinar: #IBM TADDM - Discover your devices and critical resources before moving to the cloud 19/10 11:00-11:45 https://t.co/
OrbData Webinar: #IBM TADDM - Discover your devices and critical resources before moving to the cloud 19/10 11:00-11:45 https://t.co/9eXsqADnTl

Address

Address:
100 Longwater Avenue, Green Park, Reading, RG2 6GP, U.K.
Tel:
+44 (0) 118 945 0130
E-Mail:
This email address is being protected from spambots. You need JavaScript enabled to view it.

markerFind on Google Maps

About Us

Orb Data brings together People, Process and Technology to deliver the cornerstone of business success: the management of IT infrastructure. At our heart are our people. We have unrivalled experience, helping us to achieve an enviable reputation for excellence in project delivery. Because we’re independent, we identify actual issues and help organisations resolve them –from spec to deployment, and beyond –providing the right solution in terms of best of breed technology and support. We offer a refreshingly simple approach to the way we conduct business. We take pride in our abilities to provide first class solutions to business problems, and to conduct working relationships with honesty and integrity.

Follow Us On:

JoomShaper