Server Certificate Troubleshooting
Refer to these troubleshooting steps if you changed the server certificate used by the Transfer Server or Gateway Administrator server.
After any changes you make to server certificate setup, always perform both of the following before retesting:
- Close all browser windows.
- Restart the server whose certificate you are configuring. See Start and Stop the FileXpress Transfer Server and Start and Stop the FileXpress Gateway Administrator Service.
Error messages shown below are from the console.yyyymmdd.log file.
Certificate warning still appears
- Did you close all browser windows and restart the server before retesting?
- Does the server name in the URL you are using match the server name(s) in the certificate?
Browser cannot display the web page
- Did you specify the correct password for servletengine.ssl.keystorepassword?
In the log file, look for: "java.io.IOException: Keystore was tampered with, or password was incorrect"
- Is the keystore or PKCS#12 file in the location specified for servletengine.ssl.keystore?
In the log file, look for: "java.io.FileNotFoundException: <path> (The system cannot find the file specified)"
- If you generated a JKS from a PKCS#12 file, did you use the same password?
In the log file, look for: "java.security.UnrecoverableKeyException: Given final block not properly padded"
- Is your PKCS#12 file encrypted with a FIPS-approved algorithm? Note that OpenSSL and the Windows Certificate Manager do not currently encrypt the certificate using strong algorithms by default. PBE-SHA1-3DES is the only approved algorithm currently available. If you see the following log file error, either re-encrypt your file or import it into a Java keystore.
In the log file, look for: "java.io.IOException: Could not decrypt data"
Login is successful, but error messages appear in the log file
- The message "javax.net.ssl.SSLException: Fatal Alert received: Bad Certificate" appears repeatedly in the server and console log files.
This exception is most likely to occur if the Transfer Server has not been updated to trust a new Gateway Administrator certificate. To resolve this issue, from the FileXpress Secure Shell Proxy console, go to the FileXpress Users pane and click Activate and verify.