Having a bad, corrupt, missing or expired (about to expire) bladelogic.keystore or one that is not synced with all the other Application Server deployments an environment can result in any of the errors listed below.  These can happen during login to the BSA RCP Console or while using Infrastructure Management.

This Knowledge Article will show how to create/generate a new certificate and bladelogic.keystore and how to sync it with all other Application Server deployments.
NOTE:  USE keysize 2048 for BSA 8.7 and above.

ERRORS:

• Unable to get application server launcher status. reason: java.lang.securityexception: failed to establish session
• Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
• Unable to login to the BSA Application Server - Error: "Certificate not received Fatal error"
• Your session credential does not contain a usable Application Server URL. Cannot connect to "service:appsvc.bladelogic:blsess://<your appserver hostname or IP>:9841" - java.io.EOFException
• Problems reading or parsing keystore file: <path to keystore>/bladelogic.keystore
• Service rejected session request, please login again
• Unable to read Appserver information from launcher: <hostname>. Check to make sure this role is authorized to access this launcher.
• Please make sure the bladelogic.keystore file is consistent across all servers
• Unable to read information from launcher: <hostname>. Check to make sure that the bladelogic.keystore file is consistent across all application servers and launchers.
• Caused by: java.security.cert.CertPathValidatorException: Could not validate certificate: certificate expired on <timestamp>

Legacy ID:KA312143

To resolve any of the above issues or generate a new self-signed certificate should it be expiring soon, follow the steps below.

1. Stop all Application Server(s), Process Spawner (if used) and PXE (if used) services
2. Generate a new certificate and bladelogic.keystore (make sure the <install_dir>\br\bladelogic.keystore does not already exist.)
   Skip this step if you only need to syncronize the keystores between servers
   • For 7.x:
     1. In an NSH shell navigate to the 'java' directory in the  Application Server Installation
        • UNIX: <install_dir>\br\java\bin
        • Windows: <install_dir>\jre\bin
     2. Run: keytool -genkey -alias blade -keyalg RSA -keysize 1024 -dname "CN=hostname" -keypass <keystore_password> -storepass <keystore_password> -keystore "<install_dir>\br\bladelogic.keystore" -validity 1000
   • For 8.x run this command in an NSH Shell:
     • blmkcert CN=hostname “C:\Temp\bladelogic.keystore” <keystore_password> (Windows)
     • blmkcert CN=hostname /tmp/bladelogic.keystore <keystore_password> (Unix)
       • Using this command generates a 2048-bit RSA key and a self-signed certificate for an Application Server.  The certificate will be valid for three years, and it will be stored under the "blade" alias.
3. Copy the keystore to the correct location on the appserver
   • For 7.6 through 8.3.x
     • Copy the bladelogic.keystore generated in step 2 to each deployment directory in <install_dir>/br/deployments/ such as the following:
       • <install_dir>/br/deployments/_launcher/
       • <install_dir>/br/deployments/_spawner/
       • <install_dir>/br/deployments/_template/
       • <install_dir>/br/deployments/_pxe/  (if pxe is installed)
       • <install_dir>/br/deployments/default/ (if it still exists)
       • <install_dir>/br/deployments/<custom_instances>/ (if any additional instances were created by the user)
     • Run the following blasadmin commands in an NSH Shell to update the Application Server, Process Spawner, PXE (if used) and Launcher deployments with the new keystore password
       • blasadmin –a set appserver certpasswd <keystore_password>
       • blasadmin –s _launcher set appserverlauncher keystorepassword <keystore_password>
       • blasadmin –s _spawner set appserver certpasswd <keystore_password>
       • (if pxe is installed) blasadmin –s _pxe set appserver certpasswd <keystore_password>
       • In 7.x also run these:
         • blasadmin -a set proc KeyStorePassword <keystore_password>
         • blasadmin -s _spawner set proc KeyStorePas  sword <keystore_password>
   • For 8.5 and higher
     • Copy the bladelogic.keystore generated in step 2 to the <install_dir>/br/deployments directory on each application server.
     • blasadmin –a set appserver certpasswd <keystore_password>
       In 8.5 and higher there is a common bladelogic.keystore and CertPassword setting used across all instances of the appserver on the single system.
4. Start the Application Server, Process Spawner (if used) and PXE Server(if used) services.
5. Repeat steps 1,3,4 (skip step 2) for all other physical (VM) servers that have Application Server(s) or PXE services for this environment using the same bladelogic.keystore generated in step 2 (no need to create a new keystore on each physical server)
6. Remove the temporary copy of the bladelogic.keystore in C:\Temp or /tmp.

The attached script attempts to automate steps 2-4 for 8.3 and below.  It is not guaranteed to work.  Use the -h option to display usage.  It must be run via an NSH shell and in <install_dir> of the Application Server.

To verify everything went correctly:

1. Open the BSA RCP Console and in the ‘options’ menu select the certificates tab.  Delete any certificates for your Application Server(s).
2. Attempt to login to the Application Server(s) the new bladelogic.keystore was used
3. The console should prompt to accept a new certificate.  Accept it.
4. After connecting, goto ‘File | Reconnect’ in the console and look at the 'options' > Certificates tab again.  Inspect the certificate from this appserver and confirm the new expiration date.

1. BMC BladeLogic Server Automation Suite