FME Flow Troubleshooting: Configuring for HTTPS/SSL

Liz Sanderson
Liz Sanderson
  • Updated
Full Guide: FME Flow Troubleshooting Guide

HTTPS configuration is performed on FME Flow's (formerly FME Server) underlying web server which by default is Apache Tomcat. The configuration steps we provide are based on Tomcat’s documentation. If you have provided your own web server the configuration requirements may vary.

Are you encountering issues configuring FME Flow for HTTPS? Please read below for some common troubleshooting tips and issues.


Content Overview

 

Initial Troubleshooting 

  • Confirm that you have followed all the steps to completion for your specific certificate type, that is,  cer/crtpfx/p12 or self-signed.
  • Review the Third Party Component Versions for FME Flow article to determine what version of Tomcat is installed with your FME Flow and review the tomcat documentation for your version. (Note:  Alternatively you can find this information by checking the RELEASE-NOTES file in <FMEFlowInstallDir>\Utilities\tomcat\)
  • Check you have not made any typos in the server.xml keystoreFile and keystorePass.
  • Check the port specified in server.xml (443/8443) is open to your firewall. 
  • If you are using a CA .cer or .crt certificate was the keystore in FME Flow’s tomcat used to generate the certificate signing request? Confirm the distinguished name for the certificate holds the correct details pertaining to your FME Flow. 
  • Make sure the account running the FME Flow Application and Core services has access to the keystore file location.
  • If you are using anti-virus software try disabling SSL scanning and then see if you can connect to FME Flow. 
  • Are you able to access FME Flow through an Incognito window (Google Chrome)/InPrivate browsing (IE)? If this is successful the browser may be mistakenly attempting to show a cached certificate. 
  • Review the log files located in <FMEFlowFileShare>/Resources/Logs/tomcat. In particular look in the catalina.log for SEVERE messages, and within that message look for the line that starts with 'Caused by'. These errors are being reported directly from the third party tomcat web application, some common errors and solutions have been recorded below but if you cannot find reference to them anywhere in our Community please do a broader Google search. 

Helpful Tomcat Commands 

Tomcat is the default Web Application Server shipped with FME Flow, the following commands should be performed in <FMEFlowInstallDir>\Utilities\jre\bin and can be used to help you troubleshoot whether your certificates were successfully imported. 
  • To confirm your certificate(s) have been correctly imported into FME Flow's tomcat use: 
    keytool -list -v -keystore tomcat.keystore
Make sure there is an alias entry for each of your certificates.
  • To remove a certificate from FME Flow's keystore: 
    keytool -delete -alias <certaliasname> -keystore tomcat.keystore
  • To check your certificate was successfully imported into FME Flow'ss trusted cacerts use: 
    keytool -list -v -keystore <FMEFlowInstallDir>/Utilities/jre/lib/security/cacerts -alias <certaliasname>
    You’ll be prompted for the password, this is changeit

Common Issues

“After configuring HTTPS I can access FME Flow but I cannot run any jobs from the Run Workspace Page” 
On the Run Workspace Page when you try and run a job you are seeing the response: 
There was an error submitting the job
Start by confirming that you have updated the Service URLs to use HTTPS:
  1. In the FME Flow Web User Interface open the Services page under Admin > System Configuration> Network & Email
  2. Click "Change All Hosts" and in the URL Pattern field change HTTP to HTTPS, FME Flow may have picked up this change in which case select OK. If you are using a port other than the default 80/443 you’ll also need to update the port number.
If your Service URLs correctly reference HTTPS and you still cannot run a job there are two other known causes, to narrow down the issue, start by viewing the response in Developer Tools:
  1. Navigate to the Run Workspace page and configure a job
  2. Open Developer Tools (If you are using Chrome right-click anywhere on the page and select ‘inspect’, instructions for other browsers may vary)
  3. This will open up a side panel, click on the Network tab
  4. Click on the Run button
  5. The request that is failing will be highlighted in red. Click on this link, and view the response returned under the preview tab
image.png


If the message returned says something along the lines of:  Common Issues
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
To resolve this error you’ll need to export your certificate from the web browser as Base-64 encoded and then import it into FME Flow's trusted cacerts. Step-by-step instructions on how to do this can be found on the PKIX path issues article. 

Instead, if the message returned says something along the lines of: 
java.security.cert.CertificateExpiredException: NotAfter: Wed Dec 16 15:42:11 PST 2020
This indicates that your SSL Certificate has expired, to resolve this error you’ll need to generate a new certificate and re-import it into FME Flow. Step-by-step instructions on how to do this can be found on the article Configuring FME Flow for HTTPS: Updating an expired Certificate.

Note: If you are the Administrator you’ll also be able to find these errors reported in the catalina or localhost logs located in <FMEFlowFileShare>\Resources\Logs\tomcat.

If you are receiving a different error please export the response from Developer Tools by right click on the Name and select ‘Save all as HAR with content’ and share this file with Safe Support.
“I can access FME Flow via HTTPS but the Web Browser says Not Secure” 
Click 'Not secure' next to the URL and then 'Certificate is not valid' to view the certificate'. Confirm that the Common Name (CN) matches the domain that you have entered. While you may be able to access FME Flow by typing localhost or the server name hosting FME Flow, the web browser will not know that the site is secure if you do not enter the fully qualified domain name for which the certificate was issued. Also, make sure that the certificate has not expired. 
cert viewer

If you are using a self-signed certificate this is expected as the web browser cannot trust the certificate as it has not been provided by a recognized certificate authority. You can workaround this by installing the certificate into the machines trusted certificate store. Note this is not a global setting and will need to be done on a per-machine basis so you may wish to share these instructions with your FME Flow users. 

Example instructions for Windows OS: 
  1. Open a browser and navigate to https://<hostname>/. If you configured Tomcat to use a port other than the standard port 443, also specify the port (https://localhost:<port>).
  2. View the certificate from the browser. Note: Instructions were written for Chrome and may differ slightly if you are using another browser.
    image.png
  3. Navigate to “Details” and select “Export”
    image.png  
  4. Save as a “Base-64 encoded X.509 (CER)” to local disk (e.g. <certpath>\<certname>.cer)
    image.png  
  5. Open File Explorer and navigate to the location you just saved the certificate, select the file, right click and choose ‘Install Certificate’.
  6. In the Certificate Import Wizard under Store Location check the box for ‘Local Machine’ and for the Certificate Store choose the option ‘Place all certificates in the following store’ > Browse > Trusted Root Certification Authorities
  7. Finish the import wizard and next time you access FME Flow on this machine the connection should be secure.

If the certificate is CA certified, in the browser use the Security tab under Developer tools to view the Certification Path. If you have multiple certificates (e.g. Root/Intermediate) these should all be listed.

image.png

If the CA Root Certificate you imported is not listed as part of the certification path it may not have been imported correctly into FME Flow’s keystore. Try clearing out the tomcat keystore and make sure you import the certificates in descending order (Root > Intermediate > Certificate). 

Next, check the Root certificate is installed into the Trusted Root Certification Authorities, if it does not, follow the steps above to import this. 

Lastly confirm that the certificate issuer correctly matches the subject of the root/intermediate certificate in the chain e.g. 



Image By: Sebastiaan van Steenis from “Get your certificate chain right” on Medium.

If the problem persists instead try exporting this certificate to .pfx (this bundles up the root and certificate into a single file) and then follow the configuration steps for the PFX certificate type instead. Microsoft Management Console or OpenSSL are tools that can be used to export a certificate to pfx. 
 
"The catalina.log reports alias_no_key_entry error and in the certificate details in the Web UI the chain is missing" 
After configuring FME Flow for HTTPS using a Root, Intermediate (optional) and primary certificate when I view FME Flow through the Web UI it is displayed as 'Not Secure'. When viewing the certificate, the Root and Intermediate are missing from the Certification Path and when I view the tomcat Catalina.log there is a SEVERE error: 
Caused by: java.io.IOException: jsse.alias_no_key_entry
The Web Application Service is looking for a privateKeyEntry in the Keystore. This error indicates the primary certificate has been imported into the Keystore with a different alias name than the one used to generate the privateKeyEntry. As a result, FME Flow can only see the single entry and can't detect the certificate chain, so when you go to the URL it behaves like a self-signed certificate configuration. 

To resolve this error, you should re-perform steps 1-6 of the configuration. After step 1, you can double-check the privateKeyEntry is present by using the list command mentioned above. In step 3, and again in step 5 when you import the primary certificate, ensure you are using the same alias name as in step 1. Rerun the list command to confirm the keystore now contains two trustCertEntrys and one privateKeyEntry. 
 
"The catalina.log reports Alias name [null] does not identify a key entry" 
After configuring FME Flow for HTTPS using a Root, Intermediate (optional) and primary certificate FME Flow is no longer available through the Web UI. In the catalina.log I see a SEVERE error: 
SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-443]
...
Caused by: java.io.IOException: Alias name [null] does not identify a key entry
The Web Application Service is looking for a privateKeyEntry in the Keystore. This error indicates that this certificate entry type is missing the keystore, rendering FME Flow inaccessible over HTTPS. To resolve this error, you should re-perform steps 1-6 of the configuration. After step 1, you can double-check the privateKeyEntry is present by using the list command mentioned above. In step 3, and again in step 5 when you import the primary certificate, ensure you use the same alias name as in step 1. Rerun the list command to confirm the keystore now contains two trustCertEntrys and one privateKeyEntry. 
 
“On Mac OS Catalina I get a Privacy error and cannot advance to FME Flow” 
After configuring FME Flow with a self-signed certificate you cannot access FME Flow over Mac OS. The browser returns the error:

Your connection is not private
NET::ERR_CERT_INVALID


And under the Advanced section there is no option to proceed. 

Chrome has started to block self-signed certificates to proceed to FME Flow you can type ‘thisisunsafe’. To rid this error you’ll need to trust the certificate by importing the file into KeyChain Access. 
  1. Click on NET::ERR_CERT_INVALID to see the certificate. Copy the PEM encoded chain from the Web Browser into a text editor and save with the extension .pem
  2. Open KeyChain Access and drag and drop the PEM file created in step 1 to the System KeyChain section
  3. Right click on the file and select Get Info
  4. Under Trust set the Secure Sockets Layer to ‘Always Trust’

 

“After configuring HTTPS I can no longer use SSO to log in to FME Flow” 
You must update the SSO Authentication URL in FME Flow's Tomcat Properties file to use HTTPS. Please follow the instructions in the documentation

 

“After upgrading FME Flow I can no longer access my FME Flow via HTTPS” 
The HTTPS configuration is not included in the FME Flow backup/restore process, therefore after a migration you will need to reconfigure FME Flow for HTTPS following the instructions specifically for your certificate type. 
 
"Trying to import PFX certificate I receive the error lengthTag=109, too big"

This error usually occurs if there is a tomcat.keystore file already present where you are trying to create the new keystore. Please rename or remove the old tomcat.keystore and try running the command again. 
 

"After configuring HTTPS I get the error in the web browser ERR_SSL_VERSION_OR_CIPHER_MISMATCH"

As part of the configuration, the connector element in the server.xml file is replaced. This element includes a 'ciphers' parameter. This is a list of different signature algorithms used by certificates, however, this list is not exhaustive. If the browser returns the error ERR_SSL_VERSION_OR_CIPHER_MISMATCH this is an indication that your certificate was generated using a different algorithm that is not present in the list. To resolve this error, update the list of ciphers, and then restart the FME Flow Web Application Server Service to apply this change.
 

"Catalina.log reports a parse fatal error"

After completing the configuration, the FME Flow Web UI won't load and in the catalina.log there is an error similar to: 

Parse fatal error...
The contents of elements must consist of well-formed character data or markup. 

The certificate password likely contains one or more of the following characters; < > “ ' &. These are invalid XML and must be escaped. In the server.xml the keystorePass where these characters are referenced with the following: 

<&lt;
>&gt;
"&quot;
'&apos;
&&amp;

 

"Catalina.log reports a ‘data isn’t an object ID (tag = 48)’ or 'algorithm not available' error"

After completing the configuration, the FME Flow Web UI won't load and in the catalina.log there is an error:

data isn’t an object ID (tag = 48)

or

Algorithm HmacPBESHA256 not available

Then your certificate was generated using a newer version of Java with algorithms not supported by FME Flow. Please see HTTPS Configuration error ‘data isn’t an object ID (tag = 48)’ for steps to resolve.

"Catalina.log reports a 'java.net.BindException: Address already in use: bind' error"
If FME Flow is not loading in the web browser after HTTPS configuration although all FME services are running and the Catalina tomcat log file logs the following error :
java.net.BindException: Address already in use: bind
This could be because another program is using the HTTPS port required by the FME Web Application Server Service. Please see this article for the resolution steps. 
 

Are you still experiencing issues?

Please consider posting to the FME Community Q&A if you are still experiencing issues that are not addressed in this article. There are also different support channels available. When contacting support please share the tomcat log folder located in Resources > Logs. 
 

Have ideas on how to improve this?

You can add ideas or product suggestions to our Ideas Exchange.
 

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.