Symptom
Error while trying to check the basic LS Reporting and Dashboards license.
When clicking on the Reports tile in the OnGuard console the following error is shown in the LenelReports.log.
JReport exception when checking license feature - lenel.licensing.LicenseChecker.lambda$isBasicLicenseAvailable$0 - Error while trying to check the basic LS Reporting and Dashboards license. javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
Typically, this could happen if the issuer of the certificate provided by the LS Web Service is not trusted by the machine running the LS Reporting service
Another thing to check is whether the LS OpenAccess hostname in System Administration is set to the Fully Qualified Domain Name of the certificate issued for the LS Web Service (NGINX).
Resolution
1. Ensure the certificate the web server is using is trusted by Windows. The call to check the license will need to trust the certificate issued by the web server.
- To find the web certificate open a web browser and navigate to the OnGuard console web address https://localhost:8080 on the OnGuard server. In IE, for example, a browser warning message will be displayed - click on proceed to the website. At the top of the address bar there will be a certificate error. Click on this warning then view certificates. Click the certification path tab on the window and ensure that the certificate shows valid and that it is trusted by Windows.
- If the certificate is not trusted, click the general tab of the certificate, and ensure the Issued by entity has been added to the Windows Trusted Root Certification Authorities store. Typically, during a normal installation this would be the OnGuard root certificate that is installed with OnGuard.
Workaround:
Use the default Java trust store in place of the Windows Trust Store.
- Import the Certificate Authority (CA) that issued the certificate of the LS Web Service into "%JAVA_HOME%\lib\security\cacerts”.
- Login to mmc.exe add the local machine certificate snap in and export the CA Root Certificate from the Windows certificate store in Base 64 format onto the desktop as, for example, cert.cer.
- Import the cert.cer into the default trust store by opening an elevated command prompt, and executing the following command:
- "%JAVA_HOME%\bin\keytool.exe" -importcert -alias OnGuardRoot -file "%userprofile%\desktop\cert.cer" -keystore "%JAVA_HOME%\lib\security\cacerts" -storepass changeit
- User is prompted to trust the certificate, type 'y' and enter. Certificate was added to the keystore.
- Stop the LS Reporting Service and change the service configuration in the NTservice.ini.
- Open a text editor as administrator and open file “C:\Program Files\JReport\Server\bin\NTService.ini”
- Update the following argument from the file“-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT" to “-Djavax.net.ssl.trustStoreType=JKS”
- Start the LS Reporting Service.
Applies To
OnGuard 8.0 and later
Additional Information
© 2024 Honeywell International Inc. All Rights Reserved.