Problem

Unable to log into any CFT's after applying CG 1.1.2 sp2

Default Central Governance CA certificate is used.

If Central Governance CA was customized prior to installing SP2, there is no impact.

Error in CFT Logs:

ERR SYS 4760 tmattu: user 'my_userID' login failed: Passport AM authentication failed: XPAM error: an error occur when creating ssl connection
ERR SYS 4760 iStartUserProcess: tmattu err 101
ERR XTS 4760 bXtsLogonProcessing: creation of user process failed :(101)

A CFT registered after the SP2 is working without an issue?

Why did a patch for Central Governance impact CFT?

Resolution

Central Governance CA certificate was updated in the SP2 delivery.

The certificate is used for the communication between CG and CFT and only affects the Access Management of CFT with CG users.

CG deployment/operations on CFT are not affected.

The change of the Central Governance CA certificate (PassPort Product CA) results in an incompatibility with existing certificates for already registered CFTs.

When Central Governance CA was customized prior to installing SP2, there is no impact.

How to fix the issue:

force the certificate renewal process on impacted CFTs with the steps below:

-stop copilot

-cftutil uconfset id=cg.certificate.governance.renewal_datetime,value=20110101000000

-start copilot

-cftutil listuconf id=cg.certificate.governance.renewal_datetime => the field is back to default (empty)

The certificate will be renewed at the next Copilot logon attempt.

Note1: On Windows, ensure the CFTUTIL commands are issued from a Command Prompt started as an Administrator

Note2: In case of a large number of CFTs impacted, a more efficient workaround than forcing the renewal can be provided (hot-fix) - Please, contact the support

Note3: Next SP will include a fix to avoid failing into that situation for already registered CFTs

Note4: It is highly recommended to customize the default CAs (Governance and Business), please consult the Central Governance Security Guide for more details.