IBM Support

Cloud Pak for Security: Unable to create an App Host pairing because unreachable

Troubleshooting


Problem

In CP4S cases application, an error occurs where it displays "Unable to create an App Host pairing. The App Host is unreachable." and no further information on why or how to resolve the error.

Symptom

Navigate to Application Settings > Case Management > Permissions and access then click Apps. Click Add+ under App Hosts then enter the name and description of the App Host to generate the pairing information. The error shows after the Create button is clicked as shown in the image:
screenshot of "Unable to create an App Host pairing. The App Host is unreachable."

Cause

 This issue is a result of cert-manager no longer adding the commonName to the Subject Alternate Name, which is a known issue in CP4S 1.7.2 and 1.8.0.
 

Diagnosing The Problem

Logs for this issue can be viewed with the following command:
oc logs isc-cases-application-<pod id> -c cases-application-client-log-tailer | grep Certificate
The example log shows the error that is generated from this pod:
{"level":"error","thread":"http-nio-9443-exec-7",
"logger":"com.co3.web.servlet.ProxiedServiceServlet",
"message":"Error while proxying request GET:/services_proxy/manager/tenants/441bf930-f76c-4f4a-96a0-9e5f9c0e6a55/apps",
"context":"default",
"exception":"javax.net.ssl.SSLPeerUnverifiedException: 
Certificate for <isc-app-manager> doesn't match any of the subject alternative names: [isc-app-manager.cp4s.svc.cluster.local]\n\t
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)\n\t
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)\n\t
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)\n\t
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)\n\t
at ......etc.

Resolving The Problem

SOLUTION 1:

The app manager entry in the soar-postgres-svc database has to be updated to resolve this issue. The issue is resolved by connecting to the database and updating the database with a new entry to resolve the error.

The steps provided are performed with a terminal that has the oc client and the psql command.

  1. Get the soar-postgres-svc database password: 
    oc get secret isc-cases-db-passwords --template={{.data.mondbo_password}} | base64 -D
  2. Open a port forward connection to the database service: 
    oc port-forward svc/soar-postgres-svc 65432:5432 -n <cp4s namespace>
    NOTE: Replace <cp4s namespace> with the namespace name for your CP4S project.
  3. On a new terminal, connect with psql with the password from step 1 when prompted: 
    psql -h localhost -p 65432 -U mondbo -d co3
    Password for user mondbo:<soar-postgres-svc password> Replace <soar-postgres-svc password> with the password displayed from step 1
  4. Update the app manager entry in the database: 
    UPDATE monapp.proxied_services SET ps_url = 'https://isc-app-manager.cp4s.svc.cluster.local:8082';; WHERE ps_name = 'manager';
    NOTE: Copying and pasting the command might result in it not working due to issues with the single quotation marks. Typing the single quotation marks manually resolves the issue.
  5. Refresh the UI and the error no longer appears

SOLUTION 2:

Basic knowledge of using the vi editor tool is required for the following steps.

  1. Log in to the cluster command-line interface as an admin.
  2. To place you in the required namespace, run command: 
    oc project <--CP4S-NAMESPACE-->
    NOTE: Replace <--CP4S-NAMESPACE--> with namespace Cloud Pak for Security is located under.
  3. Open the yaml for the cert/app-manager-cert resource for editing: 
    oc edit cert/app-manager-cert
  4. In the editor, navigate to the following section of the text. 
                        spec:
                      commonName: isc-app-manager
                      dnsNames:
                      - isc-app-manager.cp4s.svc.cluster.local
  5.  Add the extra text to this section so that it appears exactly as the text shown as follows. 
                        spec:
                      commonName: isc-app-manager
                      dnsNames:
                      - isc-app-manager
                      - isc-app-manager.cp4s
                      - isc-app-manager.cp4s.svc
                      - isc-app-manager.cp4s.svc.cluster.local
  6. Save and exit the text editor. If the changes are correct, then the edited message is presented: 
    certificate.cert-manager.io/app-manager-cert edited
  7. Allow a minute or two for the isc-app-manager pod to restart.
  8. Check the pod until it has the status 1/1  Running 
    oc get pods | grep isc-app
  9. Once the pod is running, log in to the Cloud Pak for Security web console and check your App Hosts.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m0z0000001h8pAAA","label":"Cases"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.7.2;1.8.0"}]

Document Information

Modified date:
01 February 2023

UID

ibm16561655

Page Feedback