Professional Documents
Culture Documents
Opentext™ Documentum™ Server Certificate Based SSL Configuration and Troubleshooting
Opentext™ Documentum™ Server Certificate Based SSL Configuration and Troubleshooting
Opentext™ Documentum™ Server Certificate Based SSL Configuration and Troubleshooting
Application Note
OpenText™ Documentum™ Server
Certificate Based SSL Configuration and
Troubleshooting
Documentum™ Server SSL Configuration and Troubleshooting
Contents
Executive summary .................................................................................................... 3
Audience ................................................................................................................. 3
Configuration............................................................................................................... 4
Docbroker ............................................................................................................... 4
Create Docbroker Keystore ............................................................................. 4
Create Docbroker Keystore's password file ..................................................... 5
Docbroker configuration ................................................................................... 6
Start Docbroker ................................................................................................ 6
Server ..................................................................................................................... 6
Create Server Keystore ................................................................................... 6
Create Server Keystore's password file ........................................................... 7
Create Server Trust-Store ................................................................................ 7
Server configuration ......................................................................................... 8
Start Server ...................................................................................................... 8
DFC ........................................................................................................................ 8
Create DFC Trust-Store ................................................................................... 8
DFC configuration ............................................................................................ 9
Troubleshooting ........................................................................................................ 10
Docbroker startup fails.......................................................................................... 10
Using OpenSSL: ...................................................................................... 10
Using Keytool: ......................................................................................... 10
Server startup fails................................................................................................ 10
Server not able to connect to Docbroker .............................................................. 11
Using OpenSSL: ...................................................................................... 11
Using Keytool: ......................................................................................... 11
Clients not able to connect to Docbroker ............................................................. 11
Clients not able to connect to Server ................................................................... 12
Multiple Docbase .................................................................................................. 12
Miscellaneous ....................................................................................................... 12
Conclusion................................................................................................................. 13
References ................................................................................................................. 14
Appendix .................................................................................................................... 15
Documentum Server Error Messages Quick Reference ............................... 15
Executive summary
OpenText™ Documentum™ Server and Connection Broker support connections in
both native and secure modes. For secure connections, Anonymous SSL is used by
default. Support for Non Anonymous or Certificate based SSL for communication is
new feature introduced in Documentum Server to further enhance communication
security. For using Certificate based SSL, Documentum Server, Docbroker and
Clients needs to be configured after installation. This paper explains in detail
configuration and troubleshooting steps.
All the components (Server, Docbroker and Clients) should use same mode for
secure communication. Mixed environments are not supported, i.e. either all the
components have to use Anonymous SSL or Non Anonymous SSL for
communication. For Certificate based SSL, only supported cipher is AES128-SHA for
maintaining backward compatibility with RSA libraries.
Audience
The audience for this white paper comprises personnel responsible for the
Installation, configuration, and deployment of Documentum Server in production
environments. This document is intended for internal Opentext teams, partners, and
customers.
Configuration
This section describes the steps required to configure different components of the
system (Docbroker, Documentum Server, Clients) to use certificate based SSL for
communication. Following needs to be configured:
• Docbroker as SSL server (Documentum Server & DFC as SSL clients)
• Documentum Server as SSL server (DFC as SSL client) and SSL Client
(Docbroker as SSL Server)
• DFC as SSL client
To enable clients to use Certificate based SSL communication for secure connections
to Docbroker and Documentum Server, we need to install Docbroker and
Documentum Server in secure or 'native & secure' mode. After installation is
complete, all the services needs to be stopped (Docbroker, Documentum Server &
Method Server) and then system needs to be configured for Certificate based SSL
manually. Currently Documentum Server installer do not support automatic
configuration of Certificate based SSL, so this configuration needs to be done
manually after installation.
Docbroker
Docbroker will look for private key and public certificate in Keystore which should be
in PKCS #12 format. There is no restriction on Keystore's filename or extension. It
should be placed in $DOCUMENTUM/dba/secure as Docbroker will look in this
directory for locating its keystore. To generate Docbroker's keystore (broker.p12)
by storing key and self-signed public certificate, use below command:
When executed, it will ask for key’s and Keystore's password. Option -name is
specified to provide an alias for keys in keystore.
Docbroker configuration
Docbroker will use properties in Docbroker’s configuration file (<Docbroker>.ini)
for resolving Keystore and password file names. Property keystore_file is used to
specify Keystore file name and keystore_pwd_file is used to specify file name in
which Keystore's password is stored.
Put below mandatory properties in Docbroker’s configuration file
(<Docbroker>.ini) in $DOCUMENTUM/dba directory, for the files that we generated
in previous steps.
keystore_file=broker.p12 keystore_pwd_file=broker.pwd
Start Docbroker
Docbroker should start successfully on secure port (1490).
Server
These keys generated should now be stored in Keystore. Server Keystore should be
in PKCS #12 format. There is no restriction on Keystore's filename or extension. It
should be placed in $DOCUMENTUM/dba/secure where server will look to locate its
Keystore. Generate Server's Keystore (server.p12) containing private key and
selfsigned public certificate using below command:
Server configuration
Server resolves file names of Server Keystore, trust-store and Keystore’s password
files by reading properties from Server configuration file (server.ini). Property
keystore_file is used to specify the name of Server's keystore,
keystore_pwd_file to specify password file name and truststore_file to
specify trust-store name. All the below properties are mandatory.
Put below properties in Server Configuration file (server.ini):
keystore_file=server.p12 keystore_pwd_file=server.pwd
truststore_file=server-trust.p7b
Start Server
Server should start successfully, and errors related to connection to Docbroker
should not be displayed.
DFC
DFC configuration
DFC will look in dfc.properties file to resolve trust-store location, name and
password.
Property dfc.security.ssl.truststore is used to specify trust-store's path
and dfc.security.ssl.truststore_password to specify trust-store's password. Trust-
store's password can be given in plain text or encrypted format. In dfc.properties, put
entries for DFC trust-store and trust-store's password:
dfc.security.ssl.truststore = c\:/secure/dfc.keystore
dfc.security.ssl.truststore_password = password
The encrypted password generated by this command can be copied and pasted to
properties file. For this command to execute successfully, dfc.jar should be in java
classpath.
There is an additional property dfc.security.ssl.use_existing_truststore
that is mutually exclusive to above two properties. When this property is specified,
there is no need to put above two properties. In this case, Java Keystore will act as
DFC truststore or trust-store can be specified using JVM parameter
javax.net.ssl.trustStore.
For secure connections to Server and Docbroker, put the value of property
dfc.session.secure_connect_default as secure. Same property controls
behavior of connections to both Docbroker and Server.
Put below property in dfc.properties file:
secure.dfc.session.secure_connect_default = secure
Troubleshooting
This section describes some of the common issues faced during configuration and
steps to troubleshoot.
Using OpenSSL:
Using Keytool:
4. Check if password in Keystore password file is correct. For testing, password can
be put in plain-text (without encryption).
Using Keytool:
keytool -list -storetype pkcs12 -keystore <keystore>
1. Check if proper entries are made in dfc.properties and trust-store file exists.
2. Check if DFC trust-store contains Server's public certificate or CA certificate used
to sign Server’s public certificate.
3. To dump Trust-store's contents (no need to specify storetype as default type is
JKS):
keytool -list -keystore <keystore> -storepass <storepass>
4. Check if dfc.properties has right value for trust-store password. For
verification, password can be given in plain-text.
Multiple Docbase
If Sever and Docbroker are configured in secure mode with Certificate based SSL
and second Docbase is created, installer will hang for some time in middle during
step where docbase tries to connect to existing Docbroker. This issue occurs as
Docbase will try to connect using Anonymous SSL by default and since mixed mode
is not supported, it won’t be able to connect. Follow below steps to resolve this issue:
1. While the installer is hanging, open server.ini of the new Server
2. Add the proper options for Certificate based SSL
3. Start/restart the new Server
Miscellaneous
1. To verify that connection is secure and check encryption algorithm used, use jvm
parameter -Djavax.net.debug=all, when starting the client.
Conclusion
Documentum support for Certificate based SSL communication to Connection Broker
and Documentum Server improves security in Documentum products. This paper
describes how to configure deployment to use this feature. For further information on
installation, Documentum Server Enterprise Edition Installation Guide can be
referenced.
References
1. Documentum Server Enterprise Edition Installation Guide
Appendix
Documentum Server Error Messages Quick Reference
[ERROR] [AGENTEXEC 3088] Detected during program initialization: • Server Keystore empty
Command Failed:
connect,<server_name.docbase_name>,<user>,'',,,try_native_first,
status: 0, with error message [DM_SESSION_E_RPC_ERROR]error:
"Server communication failure"
javax.net.ssl.SSLHandshakeException: Received fatal alert:
handshake_failure
[ERROR] [AGENTEXEC 2692] Detected during program initialization: • DFC trust-store missing
Command Failed:
connect,<server_name.docbase_name>,<user>,'',,,try_native_first,
status: 0, with error message [DFC_DOCBROKER_REQUEST_FAILED]
Request to Docbroker “<docbroker_name>:<port>“ failed
javax.net.ssl.SSLException: java.lang.RuntimeException:
Unexpected error:
java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty
java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
[ERROR] [AGENTEXEC 2436] Detected during program initialization: • DFC trust-store missing
Command Failed:
Server's Certificate
connect,<server_name.docbase_name>,<user>,'',,,try_native_first,
status: 0, with error message [DM_SESSION_E_RPC_ERROR]error:
"Server communication failure"
javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building
failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
java.net.SocketException: java.security.NoSuchAlgorithmException:
Error constructing implementation (algorithm: Default, provider:
SunJSSE, class:
com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
[ERROR] [AGENTEXEC 2608] Detected during program initialization: • DFC trust-store corrupt
Command Failed:
connect,<server_name.docbase_name>,<user>,'',,,try_native_first,
status: 0, with error message [DFC_DOCBROKER_REQUEST_FAILED]
Request to Docbroker “<docbroker_name>:<port>“ failed
java.net.SocketException:
java.security.NoSuchAlgorithmException: Error constructing
implementation (algorithm: Default, provider: SunJSSE, class:
com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
About OpenText
OpenText enables the digital world, creating a better way for organizations to work with information, on premises or in the
cloud. For more information about OpenText (NASDAQ: OTEX, TSX: OTC) visit opentext.com.
Connect with us:
20
www.opentext.com/contact
Copyright © 2020 Open Text SA or Open Text ULC (in Canada).
All rights reserved. Trademarks owned by Open Text SA or Open Text ULC (in Canada).