3rd Party Patch Reporting Server

kylefour
New Contributor

With the recent release of Patch Reporting Software Titles, I'm looking at getting it set up to use, the documentation mentions the JSS requires outbound access on 443, we are behind a proxy so i need to know the destination of the patch server that this is trying to contact..

Is it vendor-based? Is it simply a JAMF server in the internet somewhere?

Does anyone know the destination?

Thanks

Kyle

5 REPLIES 5

bvrooman
Valued Contributor

I just opened a support case about this yesterday, in fact. I can't seem to find a way to get the JSS to authenticate to our proxy, so we'll have to whitelist this particular server.

The URL is https://jamf-patch.jamfcloud.com/v1/software

mthakur
Contributor

@bvrooman
In our case, the proxy (Websense) is granting access from the Safari web browser to the patch server URL, but the JSS (running on the same Mac server) still cannot access the patch server URL, giving me the dreaded error:

"Cannot contact the server that hosts the software definitions"

Looking in the JSS log file (/Library/JSS/Logs/JAMFSoftwareServer.log) I see:

[ERROR] [Tomcat-24 ] [eTitleSummaryHTMLResponse] - An error has occurred trying to retrieve software titles from the patch server org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://jamf-patch.jamfcloud.com/v1/software":sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Based on this error, I'm fairly certain the issue has to do with how our proxy filters HTTPS traffic, i.e. replacing the external certificate with an internally issued one. I'll take it up with our proxy team.

mthakur
Contributor

@bvrooman
Followup: The Java exception was occurring because our Java keystore didn't trust our internal root certificate.

It turns out that trusting our internal root certificate in the system keychain is not sufficient — you have to import the internal root certificate into Java separately.

To fix this, here are the specific commands I ran on our JSS server (running on a Mac):

$ jrunscript -e 'java.lang.System.out.println(java.lang.System.getProperty("java.home"));' $ sudo keytool -import -noprompt -alias alias -keystore JAVA_HOME/lib/security/cacerts -file /path/to/root/certificate/file -storepass changeit

Notes:
1. You need to have the Java Development Kit (JDK) installed, not just the Java Runtime Environment (JRE); this shouldn't be a problem on your JSS server, which already requires the JDK to run.
2. The first command above (jrunscript) tells you the location of the JAVA_HOME on your system. On mine, it was /Library/Java/JavaVirtualMachines/jdk1.8.0_101.jdk/Contents/Home/jre.
3. In the above, alias refers to the name of the root certificate, JAVA_HOME is the output of the jrunscript command, and /path/to/root/certificate/file is the path to your root certificate file.
4. The default password for the Java keystore is "changeit". If your site has changed this password, substitute the correct password.

Lastly, I restarted the JSS using:

$ sudo launchctl unload /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist $ sudo launchctl load /Library/LaunchDaemons/com.jamfsoftware.tomcat.plist

Voila! The patch management link in the JSS now works great! Hope this helps someone else out there.

maccentric
New Contributor II

If you are on ubuntu 14.04.5 with openjdk version 8 there could be some issues with the CA trust on the URL

https://jamf-patch.jamfcloud.com/v1/software

[ERROR] [Tomcat-2   ] [eTitleSummaryHTMLResponse] - An error has occurred trying to retrieve software titles from the patch server
org.springframework.web.client.ResourceAccessException: I/O error on
GET request for "https://jamf-patch.jamfcloud.com/v1/software":java.lang.RuntimeException:
Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty; nested exception is javax.net.ssl.SSLException: 
java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: 
the trustAnchors parameter must be non-empty

The hint was trustAnchors, and with anything trust related it comes down to certs...

What fixed it for me was to run the following two commands and it started working:

apt-get install -y --reinstall ca-certificates-java
update-ca-certificates -f

The reinstall of the CA certificates for Java (Tomcat) and then a force update of them system wide.

All working now.

prbsparx
Contributor II

@maccentric How did you configure the JSS to use the proxy server to access the site in Ubuntu?