A few weeks ago, on one of our Documentum environments, we find out thanks to our monitoring that the Renditions weren’t generated anymore by our CTS/ADTS Server… This happened in a Sandbox environment where a lot of dev/testing was done in parallel between EMC, the different Application Teams and the Platform/Architecture Team (us). A lot of changes at the same time means that it might not be easy to find out what caused this issue…
After a few checks on our monitoring scripts just to ensure that the issue wasn’t the monitoring itself, it appears that this part was working properly and indeed the renditions weren’t generated anymore. Therefore we checked the configuration of the docbase/rendition server but didn’t find anything suspicious on the configuration side and therefore we checked the logs of the Rendition Server. The CTS/ADTS Server often print a lot of different errors that are all linked but which appear to have a different root cause. Therefore to know which error is really relevant, I cleaned up the log file (stop CTS/ADTS, backup log file and remove it) and then I launched our monitoring script that basically remove all existing renditions for a test document, if any, and then request a new set of renditions to be generated by the CTS/ADTS Server.
After doing that, it was clear that the following error was the real one I needed to take a look at:
11:14:58,562 INFO [ Thread-61] CTSThreadPoolManagerImpl - Added ICTSTask to the ICTSThreadPoolManager: dm_transcode_content
11:14:58,562 INFO [Thread-153] CTSThreadPoolManagerImpl - Start. About to get Next ICTSTask from pool manager...
11:14:58,562 INFO [Thread-153] CTSThreadPoolManagerImpl - ICTSThreadPoolManager: removing first item from the list for processing...
11:14:58,562 INFO [Thread-153] CTSThreadPoolManagerImpl - Removing a task to execute it. Number in waiting list: 1
11:14:58,562 INFO [Thread-153] CTSThreadPoolManagerImpl - Next CTSTask received...
11:14:58,562 INFO [Thread-153] CTSThreadPoolManagerImpl - CTSThreadPoolManager has threadlimit -1
11:14:58,562 INFO [Thread-153] CTSThreadPoolManagerImpl - Processing next CTSTask...
11:14:58,562 INFO [Thread-153] CTSThreadPoolManagerImpl - About to get notifier from CTSTask...
11:14:58,562 INFO [Thread-153] CTSThreadPoolManagerImpl - About to get session from CTSTask...
11:14:59,203 INFO [Thread-153] CTSThreadPoolManagerImpl - About to get RUN CTSTask...
11:14:59,859 WARN [Thread-153] CTSOperationsUtils - [BOCS/ACS] exportContentFiles error - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.
https://content_server_01:9082/ACS/servlet/ACS?command=read&version=2.3&docbaseid=0f3f245a&basepath=%2Fdata%2Fdctm%2Frepo01%2Fcontent_storage_01%2F003f245a&filepath=80%2F06%2F3f%2F46.docx&objectid=093f245a800a303f&cacheid=dAAEAgA%3D%3DRj8GgA%3D%3D&format=msw12&pagenum=0&signature=wnJx0Z9%2Brzhk3ZMWNQj5hkRq1ZtAwqZGigeLdG%2FLUsc8WDs8WUHBIPf5FHbrYsmbU%2Bby7pTbxtcxtcwMsGIhwyLzREkrec%2BZzMYY3bLY88sad%2BLlzJfqzYveIEu4iebZnOwm4g%2FxyZzfR3C4Yu3W5FgBaxulngiopjVMe587B6k%3D&servername=content_server_01ACS1&mode=1×tamp=1465809299&length=12586&mime_type=application%2Fvnd.openxmlformats-officedocument.wordprocessingml.document¶llel_streaming=true&expire_delta=360
11:14:59,859 ERROR [Thread-153] CTSThreadPoolManagerImpl - Exception in CTSThreadPoolManagerImpl, notification :
com.documentum.cts.exceptions.internal.CTSServerTaskException: Error while exporting file(s) from repo01, objectName: check_ADTS_rendition_creation errorMessage: Executing Export operation failed
Could not get the content file for check_ADTS_rendition_creation (093f245a800a303f, msw12, null)
Cause Exception was:
com.documentum.cts.exceptions.CTSException: Error while exporting file(s) from repo01, objectName: check_ADTS_rendition_creation errorMessage: Executing Export operation failed
Could not get the content file for check_ADTS_rendition_creation (093f245a800a303f, msw12, null)
Cause Exception was:
DfException:: THREAD: Thread-153; MSG: Error while exporting file(s) from repo01, objectName: check_ADTS_rendition_creation errorMessage: Executing Export operation failed
Could not get the content file for check_ADTS_rendition_creation (090f446e800a303f, msw12, null); ERRORCODE: ff; NEXT: null
at com.documentum.cts.util.CTSOperationsUtils.getExportedFileEx5(CTSOperationsUtils.java:626)
at com.documentum.cts.util.CTSOperationsUtils.getExportedFileEx4(CTSOperationsUtils.java:332)
at com.documentum.cts.util.CTSOperationsUtils.getExportedFileEx3(CTSOperationsUtils.java:276)
at com.documentum.cts.util.CTSOperationsUtils.getExportedFileEx2(CTSOperationsUtils.java:256)
at com.documentum.cts.impl.services.task.CTSTask.exportInputContent(CTSTask.java:4716)
at com.documentum.cts.impl.services.task.CTSTask.retrieveInputURL(CTSTask.java:4594)
at com.documentum.cts.impl.services.task.CTSTask.initializeFromCommand(CTSTask.java:2523)
at com.documentum.cts.impl.services.task.CTSTask.execute(CTSTask.java:922)
at com.documentum.cts.impl.services.task.CTSTaskBase.doExecute(CTSTaskBase.java:514)
at com.documentum.cts.impl.services.task.CTSTaskBase.run(CTSTaskBase.java:460)
at com.documentum.cts.impl.services.thread.CTSTaskRunnable.run(CTSTaskRunnable.java:207)
at java.lang.Thread.run(Thread.java:745)
11:14:59,859 INFO [Thread-153] CTSQueueProcessor - _failureNotificationAdmin : false
11:14:59,859 INFO [Thread-153] CTSQueueProcessor - _failureNotification : true
Ok so now it is clear that the error is actually the following one: “java.security.cert.CertPathBuilderException: Could not build a validated path”. This always means that a specific SSL Certificate Chain isn’t trusted. As you can see above, it is mentioned “BOCS/ACS” on the same line and actually the line just below contains the URL of the ACS… Therefore I thought about that and yes indeed one of the changes planned for that day was that the D2-BOCS has been installed and enabled on this environment. So what is the link between the ACS URL and the D2-BOCS installation? Well actually when installing the D2-BOCS, if you want to keep your environment secured, then you need the ACS to be switched to HTTPS because the D2-BOCS will force D2 to use the ACS URLs to download the documents to the client’s workstation when it is actually not using the ACS at all when there is no D2-BOCS installed. Therefore the installation of the D2-BOCS isn’t linked to the CTS/ADTS at all but one of our pre-requisites to install it was to setup the ACS in HTTPS and that is linked to the CTS/ADTS Server because it is actually using it to download the documents as you can see in the error above.
Now we know what was the error and just to confirm that, I switched back the ACS URL to HTTP (using DA: Administration > Distributed Content Configuration > ACS Servers > Right-click on ACS objects > Properties > ACS Server Connections) and re-init the Content Server (using DA: Administration > Basic Configuration > Content Servers > Right-click on CS objects > Properties > Check “Re-Initialize Server” and click OK).
Right after doing that, the monitoring switched back to green, meaning that renditions were created again and therefore this was indeed the one and only issue. So what to do if we want to use the ACS in HTTPS in correlation with the Rendition? Well we just have to explain to the CTS/ADTS Server that he can trust the ACS SSL Certificate and this is done by updating the cacerts file of Java used by the Rendition Server. This is done pretty easily using the following commands for which I will suppose that the Rendition Server has been installed on a D: Drive under “D:CTS”.
So the first thing to do is to upload your Certificate Chain to the Rendition Server and put them under “D:certs” (I will suppose there are two SSL Certificates in the chain: a Root and a Gold). Then simply start a command prompt as Administrator and execute the following commands to update the cacerts file of Java:
D:> copy D:CTSjava641.7.0_72jrelibsecuritycacerts D:CTSjava641.7.0_72jrelibsecuritycacerts.bck_YYYYMMDD
1 file(s) copied.
D:> D:CTSjava641.7.0_72binkeytool.exe -import -trustcacerts -alias root_ca -keystore D:CTSjava641.7.0_72jrelibsecuritycacerts -file D:certsInternal_Root_CA.cer
Enter keystore password:
…
Trust this certificate? [no]: yes
Certificate was added to keystore
D:> D:CTSjava641.7.0_72binkeytool.exe -import -trustcacerts -alias gold_ca -keystore D:CTSjava641.7.0_72jrelibsecuritycacerts -file D:certsInternal_Gold_CA1.cer
Enter keystore password:
Certificate was added to keystore
Now just switch the ACS to use HTTPS again, restart the Rendition services using the Windows Services or command line tool and the next time you will request a rendition, it will work without errors even in HTTPS. That’s actually a very common mistake to setup the SSL on the Content Server side which is great but you need not to forget that some other components might use what you switch to HTTPS and therefore these additional components need to trust your SSL Certificates too!
Note 1: in our case, the WebLogic Server hosting D2 was already in HTTPS and therefore it was already trusting the Internal Root & Gold SSL Certificates, reason why we could use the ACS in HTTPS from D2 without issue.
Note 2: in case you didn’t know about it, I think it is now clear that the CTS/ADTS Server is using the ACS to download the files… Therefore if you want a secured environment even without D2-BOCS, you absolutely need to switch your ACS to HTTPS!
![Thumbnail [60x60]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/MOP_web-min-scaled.jpg)
![Thumbnail [90x90]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/GME_web-min-scaled.jpg)
![Thumbnail [90x90]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/ATR_web-min-scaled.jpg)
![Thumbnail [90x90]](https://www.dbi-services.com/blog/wp-content/uploads/2022/08/CVI_web-min-scaled.jpg)