- Jamf Nation Community
- Products
- Jamf Pro
- Re: 3rd Party Patch Reporting Server
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
3rd Party Patch Reporting Server
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-11-2016 04:09 AM
With the recent release of Patch Reporting Software Titles, I'm looking at getting it set up to use, the documentation mentions the JSS requires outbound access on 443, we are behind a proxy so i need to know the destination of the patch server that this is trying to contact..
Is it vendor-based? Is it simply a JAMF server in the internet somewhere?
Does anyone know the destination?
Thanks
Kyle
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-11-2016 05:42 AM
I just opened a support case about this yesterday, in fact. I can't seem to find a way to get the JSS to authenticate to our proxy, so we'll have to whitelist this particular server.
The URL is https://jamf-patch.jamfcloud.com/v1/software
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-02-2016 07:29 AM
@bvrooman
In our case, the proxy (Websense) is granting access from the Safari web browser to the patch server URL, but the JSS (running on the same Mac server) still cannot access the patch server URL, giving me the dreaded error:
"Cannot contact the server that hosts the software definitions"
Looking in the JSS log file (/Library/JSS/Logs/JAMFSoftwareServer.log) I see:
[ERROR] [Tomcat-24 ] [eTitleSummaryHTMLResponse] - An error has occurred trying to retrieve software titles from the patch server org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://jamf-patch.jamfcloud.com/v1/software":sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Based on this error, I'm fairly certain the issue has to do with how our proxy filters HTTPS traffic, i.e. replacing the external certificate with an internally issued one. I'll take it up with our proxy team.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-06-2016 12:43 PM
@bvrooman
Followup: The Java exception was occurring because our Java keystore didn't trust our internal root certificate.
It turns out that trusting our internal root certificate in the system keychain is not sufficient — you have to import the internal root certificate into Java separately.
To fix this, here are the specific commands I ran on our JSS server (running on a Mac):
$ jrunscript -e 'java.lang.System.out.println(java.lang.System.getProperty("java.home"));' $ sudo keytool -import -noprompt -alias alias -keystore JAVA_HOME/lib/security/cacerts -file /path/to/root/certificate/file -storepass changeit
Notes:
1. You need to have the Java Development Kit (JDK) installed, not just the Java Runtime Environment (JRE); this shouldn't be a problem on your JSS server, which already requires the JDK to run.
2. The first command above (jrunscript) tells you the location of the JAVA_HOME on your system. On mine, it was /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre.
3. In the above, alias refers to the name of the root certificate, JAVA_HOME is the output of the jrunscript command, and /path/to/root/certificate/file is the path to your root certificate file.
4. The default password for the Java keystore is "changeit". If your site has changed this password, substitute the correct password.
Lastly, I restarted the JSS using:
$ sudo launchctl unload /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist $ sudo launchctl load /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist
Voila! The patch management link in the JSS now works great! Hope this helps someone else out there.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-18-2016 02:40 AM
If you are on ubuntu 14.04.5 with openjdk version 8 there could be some issues with the CA trust on the URL
https://jamf-patch.jamfcloud.com/v1/software
[ERROR] [Tomcat-2 ] [eTitleSummaryHTMLResponse] - An error has occurred trying to retrieve software titles from the patch server
org.springframework.web.client.ResourceAccessException: I/O error on
GET request for "https://jamf-patch.jamfcloud.com/v1/software":java.lang.RuntimeException:
Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty; nested exception is javax.net.ssl.SSLException:
java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException:
the trustAnchors parameter must be non-emptyThe hint was trustAnchors, and with anything trust related it comes down to certs...
What fixed it for me was to run the following two commands and it started working:
apt-get install -y --reinstall ca-certificates-java
update-ca-certificates -fThe reinstall of the CA certificates for Java (Tomcat) and then a force update of them system wide.
All working now.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-05-2018 02:06 PM
@maccentric How did you configure the JSS to use the proxy server to access the site in Ubuntu?
