Troubleshooting
Problem
User receives error "OpenID Connect client returned with status: SEND_401" when attempting to log in to Manage application after Manage is deployed and activated, and the user is created and authorized to access Manage.
Symptom
User receives error "OpenID Connect client returned with status: SEND_401" in the web browser when attempting to log in to Manage application or Health application after it is deployed and activated, and the user is created and authorized to access Manage. The user is able to log in to the dashboard of the Maximo Application Suite with the same credential.
If examine the log of the application server of Manage, the following error message can be found:
[ERROR ] CWPKI0828E: The trustDefaultCerts attribute is enabled but trust was not established by using the default truststore. The extended error message from the SSL handshake exception is: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target.
Cause
Manage or Health's Liberty application server is not able to accept the server certificate provided by the Maximo Application Suite's authentication server when requesting authentication. This may happen when the certificate's intermediate certificate or the root certificate does not match with what is installed in the application server's Liberty trust store and the java default trust store.
Environment
Maximo Application Suite 8.4.0 with Manage 8.0.0 or Health 8.2.0.
Diagnosing The Problem
First make sure the certificate is obtained correctly when MAS is installed and one can log in to Maximo Application Suite. The problem to be addressed is only that one cannot log in to Manage.
Examining the log of the application server of Manage, the following error message can be found:
[ERROR ] CWPKI0828E: The trustDefaultCerts attribute is enabled but trust was not established by using the default truststore. The extended error message from the SSL handshake exception is: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target.
Resolving The Problem
Obtain the actual certificate used by the Maximo's Application Suite's authentication server and import the certificate(s) to Manage explicitly.
- Access the OpenShift console and locate the Secret object named <Maximo Application Suite Instance ID>-cert-public in the Openshift project mas-<Maximo Application Suite Instance ID>-core
- Click the copy to clipboard button to copy the value of ca.crt. The content will be single or multiple certificates in the format of
-----BEGIN CERTIFICATE----- MIID5DCCAsygAwIBAgIRAKgEvEIf9GFPrAxCZ2eqQLQwDQYJKoZIhvcNAQELBQAw ... +Gde4dzALSGG7xF6K4ZrFXjG5+H0/zFdq7N/Wrz5FL7GiE5ZA/cs8g== -----END CERTIFICATE----- - Log in to Manage Application Suite's administration dashboard. Go to Catalog, select the application Manage or Health. Select Actions->Configure workspace-> Show advanced settings
- Locate Imported certificates section. Click on Add, and paste the certificate text you have copied to the Certificate content. Provide an alias name. Confirm
- Click on Activate button
The change will be detected by the Manage operator and applied through the reconcile process. The trust store of the Manage or Health application will be updated to trust the specified certificate. The application servers will not be restarted if the only change is the imported certificate. The user will be able to log in after a few minutes.
Document Location
Worldwide
[{"Type":"SW","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRHPA","label":"IBM Maximo Application Suite"},"ARM Category":[{"code":"a8m3p000000hAeaAAE","label":"Maximo Application Suite-\u003EManage"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.0"}]
Was this topic helpful?
Document Information
Modified date:
27 July 2023
UID
ibm16453381