trust store property not set error in yellowfin.log

Greg Michael shared this question 4 months ago
Answered

I am new to the communities here and looking for some troubleshooting assistance. We recently installed the Yellowfin Live Reporting Agent v7.4.8 for BMC TrueSight Server Automation. I have been having nothing but difficulty trying to get the YF server to communicate with TSSA and LDAP.


In the yellowfin-stderr.log file I see numerous occurrences of this error:

LDAPException: SSL Configuration Issue, javax.net.ssl.trustStore property not set (80) Other


The server.xml file looks like this:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true" scheme="https" secure="true" clientAuth="false"
               sslProtocol="TLS" maxHttpHeaderSize="98304" maxThreads="150" sslEnabledProtocols="TLSv1.2"
               minSpareThreads="25" enableLookups="false"
               disableUploadTimeout="true" acceptCount="100" URIEncoding="UTF-8"
               keystoreFile="${catalina.home}/conf/.keystore"
			   ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"
               keystorePass="********"
               truststoreFile="E:\Apps\BMC_Software\Live_Reporting\jre\lib\security\cacerts"
               truststorePass="*********"
               />


I also tried using this method:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" URIEncoding="UTF-8" maxSwallowSize="-1"
           scheme="https" secure="true" honorCipherOrder="true" maxHttpHeaderSize="98304"
           minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" acceptCount="100">
           <SSLHostConfig certificateVerification="none" protocols="TLSv1.2"
                truststoreFile="E:\Apps\BMC_Software\Live_Reporting\jre\lib\security\cacerts" sslProtocol="TLS"
                ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_anon_WITH_AES_128_CBC_SHA,TLS_ECDH_anon_WITH_AES_256_CBC_SHA">
                <Certificate certificateKeystoreFile="E:\Apps\BMC_Software\Live_Reporting\Yellowfin\appserver\conf\.keystore" />
           </SSLHostConfig>
</Connector>


From all I have learned about configuring Tomcat, I cannot understand why Yellowfin thinks that the Trust Store property is not set. It's entirely possible that there's another file with settings that needs to be modified, but I'm not aware of it.


I could really use some guidance.


Thanks!

Greg

Best Answer
photo

Hi Greg,

Welcome to the Yellowfin Community! Thanks for reaching out with your question.

I would recommend setting your trust store using JVM arguments as opposed to directly in the Connector. The method in which to add these will depend on whether Yellowfin is installed as a Windows service, or hosted without a service file (Linux or Windows). The lines that will need added to the JVM arguments are as follows:

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/opt/Yellowfin8/appserver/conf/truststore"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=changeit"

Replacing the values of the path and password with those relevant to your environment. Following are instructions on how to add these, dependent on your setup.

Windows Service

For a Windows Service, we will need to adjust the service properties. This can be done by opening a command prompt within the <YellowfinInstall>/appserver/bin/ folder and issuing the following command:

tomcat8w.exe //ES/$ServiceName
where our default service name is typically Yellowfin. As you're using this as a component of Truesight Server Automation, you'll want to verify what your service name is. This should pop up the service properties. Here you'll find the "Java Options" box on the "Java" tab:

d0b7c2cfdb7ced631a3ea07bbab69a16

The required arguments can be added here to enable the trust store. Keep in mind these won't be recognized until the next startup.


No Windows Service

For deployments that are not using a Windows Service to control the application server, the above can be added to a file within the <YellowfinInstall>/appserver/bin folder.

It's recommended to create a "setenv.bat" file (or setenv.sh for Linux) to add any custom arguments. These can be pasted as they are above into a file here and Tomcat will pick up the new arguments on next boot.

Give this a try and let me know how it goes.

Thanks,

Ryan

Comments (7)

photo
1

Hi Greg,

Welcome to the Yellowfin Community! Thanks for reaching out with your question.

I would recommend setting your trust store using JVM arguments as opposed to directly in the Connector. The method in which to add these will depend on whether Yellowfin is installed as a Windows service, or hosted without a service file (Linux or Windows). The lines that will need added to the JVM arguments are as follows:

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/opt/Yellowfin8/appserver/conf/truststore"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=changeit"

Replacing the values of the path and password with those relevant to your environment. Following are instructions on how to add these, dependent on your setup.

Windows Service

For a Windows Service, we will need to adjust the service properties. This can be done by opening a command prompt within the <YellowfinInstall>/appserver/bin/ folder and issuing the following command:

tomcat8w.exe //ES/$ServiceName
where our default service name is typically Yellowfin. As you're using this as a component of Truesight Server Automation, you'll want to verify what your service name is. This should pop up the service properties. Here you'll find the "Java Options" box on the "Java" tab:

d0b7c2cfdb7ced631a3ea07bbab69a16

The required arguments can be added here to enable the trust store. Keep in mind these won't be recognized until the next startup.


No Windows Service

For deployments that are not using a Windows Service to control the application server, the above can be added to a file within the <YellowfinInstall>/appserver/bin folder.

It's recommended to create a "setenv.bat" file (or setenv.sh for Linux) to add any custom arguments. These can be pasted as they are above into a file here and Tomcat will pick up the new arguments on next boot.

Give this a try and let me know how it goes.

Thanks,

Ryan

photo
1

That certainly did the trick. Now for a follow up: why must I add these settings to the Windows Service definition? They are supposed to be added and managed via the server.xml file. If this is normal, then this should be added to the documentation for installation and configuration of Yellowfin Live Reporting.

photo
1

Hi Greg,

I'm glad this worked for you. It's my understanding that Connector settings within the server.xml are specific to the connector port which you are configuring. Since Yellowfin is making a separate connection to LDAP and is not utilizing the actual Connector, this requires the configuration to be made at a Java level.

Happy to forward your request to our technical writer if you would point me in the direction of the documentation you are using to install and configure Yellowfin.

Thanks,

Ryan

photo
photo
1

Thanks Greg,

I'll send this over for review by our technical writer for review. Did you have any further follow up questions, or should I go ahead and mark this as Answered?

Regards,

Ryan

photo
1

You can mark it answered. Thanks!

photo
1

Thanks Greg,

Happy to help! Don't hesitate to reach out with further questions or issues.

Thank you,

Ryan