BrokerGateway TLS issue

113 viewsBrokerGateway
4
0 Comments

I've migrated a new cluster over to using the BrokerGateway and have been getting notice alarms from all the DMAs of 'Could not connect to the local NATS endpoint on '<IP>'. Please make sure that the nats service is running without issues.', doing some digging I found we were getting 'TLS handshake error: remote error: tls: bad certificate' errors in the nats-server log file, so threw together the following powershell script to to install the root ca.pem cert generated in 'C:\ProgramData\Skyline Communications\DataMiner Security' to all the DMAs machine trusted root certificate authorities, which has resolved the issue and stopped the alarms.

Can the root cert get added to the trusted root certificate authorities as part of the package installation?

$Servers = Get-Content "C:\scripts\servers.txt" | Where-Object { $_ -notmatch '^#' }

foreach ($server in $Servers) {
Write-Host ("Processing " + $server + "...")

try {
Invoke-Command -ComputerName $server -ScriptBlock {
$pemPath = "C:\ProgramData\Skyline Communications\DataMiner Security\ca.pem"

if (-not (Test-Path $pemPath)) {
Write-Warning ("[" + $env:COMPUTERNAME + "] PEM file not found at " + $pemPath)
return
}

# Read the PEM file and extract Base64
$certPem = Get-Content -Raw -Path $pemPath
$base64Lines = $certPem -split "`r?`n" | Where-Object {
($_ -notmatch "-----BEGIN CERTIFICATE-----") -and ($_ -notmatch "-----END CERTIFICATE-----")
}
$base64 = ($base64Lines -join "")
$certBytes = [Convert]::FromBase64String($base64)

# Create certificate object
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @(,$certBytes)
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store("Root", "LocalMachine")
$store.Open("ReadWrite")

# Check if already installed
if ($store.Certificates | Where-Object { $_.Thumbprint -eq $cert.Thumbprint }) {
Write-Host ("[" + $env:COMPUTERNAME + "] Certificate already installed: " + $cert.Subject)
}
else {
$store.Add($cert)
Write-Host ("[" + $env:COMPUTERNAME + "] Installed certificate: " + $cert.Subject)
}

$store.Close()
}
}
catch {
Write-Warning ("Failed to install certificate on " + $server + " - " + $_.Exception.Message)
}
}

Pieter Lust [SLC] [DevOps Advocate] Answered question 3 days ago

1 Answer

0
125 3 Comments

Hi,

This step is not necessary as NATS reads the certificate file directly instead of going through the Certificate Store.
This should be configured here:
C:\Program Files\Skyline Communications\DataMiner BrokerGateway\nats-server\nats-server.config
Check if the following is present.

"tls": {
"key_file": "C:\\ProgramData\\Skyline Communications\\DataMiner Security\\cert_key.pem",
"cert_file": "C:\\ProgramData\\Skyline Communications\\DataMiner Security\\cert.pem",
"ca_file": "C:\\ProgramData\\Skyline Communications\\DataMiner Security\\ca.pem"
}

If this is present, It could be that you accidently activated the old service(s) NAS and NATS instead of nats-server. Make sure this is the case.

Pieter Lust [SLC] [DevOps Advocate] Posted new comment 1 day ago
Pieter Lust [SLC] [DevOps Advocate] commented

The old services are still present to make migrating back and forth between the versions faster.
These services will be removed completely in a later version of DataMiner.
Philip Argent [DevOps Enabler] commented

NAS and NATS are both stopped and set to manual, <BrokerGateway>true</BrokerGateway> is set in MaintenanceSettings.xml.

Those tls tags are all set in the nats-server.config file in the root and the cluster sections, but I'm still getting the errors in the log file and warning alarms without the root certificate being trusted.
Pieter Lust [SLC] [DevOps Advocate] commented

It's odd that nats server doesn't load in the certificate in via file.
We'd like to investigate why this isn't the case. Can you create a ticket and include a logpackage so we can check what happened?