Hi,

I am trying to do POC with ISAM9.0.0.7 within our organisation and using the following link to spin it up in Openshift v3.7
https://github.com/jonpharry/isamdocker 

The PODs are getting spinnedup with issue's and wanted help from community to fix them.

Issue 1 > The isam-runtime POD does not connect to the isam-config pod and can be seen in below logs ..

i also tried to rsh manually to the runtime POD and tried to curl to config pod with the -k option to bypass cert check. and it works , hence i suspect something needs to be done with respect to certs.

# oc logs pod/isamruntime-3243051175-35pb7

 

2019-07-18T01:27:55+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:03+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:10+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:18+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:27+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:38+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:49+0100: ---- Retrying....

 

# oc rsh isamruntime-3243051175-35pb7

 

sh-4.2$ curl -v https://isamconfig:9443/shared_volume/fixpacks

* About to connect() to isamconfig port 9443 (#0)

*   Trying 172.17.20.253...

* Connected to isamconfig (172.17.20.253) port 9443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

*   CAfile: /etc/pki/tls/certs/ca-bundle.crt

  CApath: none

* Server certificate:

*       subject: CN=isamconfig-2973007414-k1dv0

*       start date: Jul 16 23:44:54 2019 GMT

*       expire date: Jul 16 23:44:54 2020 GMT

*       common name: isamconfig-2973007414-k1dv0

*       issuer: CN=isamconfig-2973007414-k1dv0

* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)

* Issuer certificate is invalid.

* Closing connection 0

curl: (60) Issuer certificate is invalid.

More details here: http://curl.haxx.se/docs/sslcerts.html

 

curl performs SSL certificate verification by default, using a "bundle"

of Certificate Authority (CA) public keys (CA certs). If the default

bundle file isn't adequate, you can specify an alternate file

using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in

the bundle, the certificate verification probably failed due to a

problem with the certificate (it might be expired, or the name might

not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use

the -k (or --insecure) option.

sh-4.2$

 

 

sh-4.2$ curl -Lvk https://isamconfig:9443/shared_volume/fixpacks

* About to connect() to isamconfig port 9443 (#0)

*   Trying 172.17.20.253...

* Connected to isamconfig (172.17.20.253) port 9443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

* skipping SSL peer certificate verification

* NSS: client certificate not found (nickname not specified)

* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

* Server certificate:

*       subject: CN=isamconfig-2973007414-k1dv0

*       start date: Jul 16 23:44:54 2019 GMT

*       expire date: Jul 16 23:44:54 2020 GMT

*       common name: isamconfig-2973007414-k1dv0

*       issuer: CN=isamconfig-2973007414-k1dv0

> GET /shared_volume/fixpacks HTTP/1.1

> User-Agent: curl/7.29.0

> Host: isamconfig:9443

> Accept: */*

> 

< HTTP/1.1 302 Found

< Location: https://isamconfig:9443/core/login

< Content-Language: en-US

< Set-Cookie: WASReqURL=https://:9443/shared_volume/fixpacks; Path=/; Secure; HttpOnly

< Transfer-Encoding: chunked

< Date: Thu, 18 Jul 2019 09:20:36 GMT

< Expires: Thu, 01 Dec 1994 16:00:00 GMT

< Cache-Control: no-cache="set-cookie, set-cookie2"

< 

* Ignoring the response-body

* Connection #0 to host isamconfig left intact

* Issue another request to this URL: 'https://isamconfig:9443/core/login'

* Found bundle for host isamconfig: 0xb6bee0

* Re-using existing connection! (#0) with host isamconfig

* Connected to isamconfig (172.17.20.253) port 9443 (#0)

> GET /core/login HTTP/1.1

> User-Agent: curl/7.29.0

> Host: isamconfig:9443

> Accept: */*

> 

< HTTP/1.1 200 OK

< X-FRAME-OPTIONS: SAMEORIGIN

< Cache-Control: no-cache, no-store

< Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'

< X-Content-Type-Options: nosniff

< X-XSS-Protection: 1; mode=block

< Strict-Transport-Security: max-age=16070400; includeSubDomains

< Pragma: no-cache

< Content-Type: text/html;charset=utf-8

< Content-Language: en-US

< Set-Cookie: JSESSIONID=0000gJWTe1Ef-J9iABwMFIeJaAR:969cff36-5992-4f29-aa2e-60222dc40746; Path=/; Secure; HttpOnly

< Transfer-Encoding: chunked

< Date: Thu, 18 Jul 2019 09:20:37 GMT

< Expires: Thu, 01 Dec 1994 16:00:00 GMT

< 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<!-- IBM Confidential

  Object Code Only Source Materials

  5725-L52

  (c) Copyright International Business Machines Corp. 2012, 2016

  The source code for this program is not published or otherwise divested

  of its trade secrets, irrespective of what has been deposited with the

  U.S. Copyright Office. -->

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang='en' dir="ltr">

  <head>

    <meta http-equiv="Content-Type"   content="text/html; charset=UTF-8" />

    <meta http-equiv="pragma"         content="no-cache"/>

    <meta http-equiv="cache-control"  content="no-cache"/>

    <meta name="screen_id" content="Login::get" />

 

    <link rel="icon"          href="/images/favicon.ico" type="image/x-icon" />

    <link rel="shortcut icon" href="/images/favicon.ico" type="image/x-icon" />

 

    <meta name="csrf-param" content="authenticity_token"/>

    <meta name="csrf-token" content=""/>

 

 

    <meta name="cctxt" content=""/>

    <title>IBM Security Access Manager</title>

 

    <!-- ISAM CSS -->

    <link rel="stylesheet" type="text/css" href="/javascripts/dojo/dijit/themes/claro/claro.css" />

.

.

.

.

.

------------------------------
Samir Mehta
------------------------------

Hi Samir,
i am setting same environment right now and will inform if recreate same issue. At the same time i have few questions:
1. Did this ISAM 90007 env. start ok and perform ok on dockers, before you moved it to OpenShift ?
2. Initial errors above may be related to simple fact that isamconfig  hostname is not resolved. Try to ping/ ssh it from pods and from dockers.
Check hosts cfg files.

------------------------------
DMITRI CHILOVICH
------------------------------

Original Message:
Sent: Fri July 19, 2019 09:26 AM
From: Samir Mehta
Subject: ISAM9.0.0.7 on Openshift using images.

Hi,

I am trying to do POC with ISAM9.0.0.7 within our organisation and using the following link to spin it up in Openshift v3.7
https://github.com/jonpharry/isamdocker 

The PODs are getting spinnedup with issue's and wanted help from community to fix them.

Issue 1 > The isam-runtime POD does not connect to the isam-config pod and can be seen in below logs ..

i also tried to rsh manually to the runtime POD and tried to curl to config pod with the -k option to bypass cert check. and it works , hence i suspect something needs to be done with respect to certs.

# oc logs pod/isamruntime-3243051175-35pb7

 

2019-07-18T01:27:55+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:03+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:10+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:18+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:27+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:38+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:49+0100: ---- Retrying....

 

# oc rsh isamruntime-3243051175-35pb7

 

sh-4.2$ curl -v https://isamconfig:9443/shared_volume/fixpacks

* About to connect() to isamconfig port 9443 (#0)

*   Trying 172.17.20.253...

* Connected to isamconfig (172.17.20.253) port 9443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

*   CAfile: /etc/pki/tls/certs/ca-bundle.crt

  CApath: none

* Server certificate:

*       subject: CN=isamconfig-2973007414-k1dv0

*       start date: Jul 16 23:44:54 2019 GMT

*       expire date: Jul 16 23:44:54 2020 GMT

*       common name: isamconfig-2973007414-k1dv0

*       issuer: CN=isamconfig-2973007414-k1dv0

* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)

* Issuer certificate is invalid.

* Closing connection 0

curl: (60) Issuer certificate is invalid.

More details here: http://curl.haxx.se/docs/sslcerts.html

 

curl performs SSL certificate verification by default, using a "bundle"

of Certificate Authority (CA) public keys (CA certs). If the default

bundle file isn't adequate, you can specify an alternate file

using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in

the bundle, the certificate verification probably failed due to a

problem with the certificate (it might be expired, or the name might

not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use

the -k (or --insecure) option.

sh-4.2$

 

 

sh-4.2$ curl -Lvk https://isamconfig:9443/shared_volume/fixpacks

* About to connect() to isamconfig port 9443 (#0)

*   Trying 172.17.20.253...

* Connected to isamconfig (172.17.20.253) port 9443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

* skipping SSL peer certificate verification

* NSS: client certificate not found (nickname not specified)

* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

* Server certificate:

*       subject: CN=isamconfig-2973007414-k1dv0

*       start date: Jul 16 23:44:54 2019 GMT

*       expire date: Jul 16 23:44:54 2020 GMT

*       common name: isamconfig-2973007414-k1dv0

*       issuer: CN=isamconfig-2973007414-k1dv0

> GET /shared_volume/fixpacks HTTP/1.1

> User-Agent: curl/7.29.0

> Host: isamconfig:9443

> Accept: */*

> 

< HTTP/1.1 302 Found

< Location: https://isamconfig:9443/core/login

< Content-Language: en-US

< Set-Cookie: WASReqURL=https://:9443/shared_volume/fixpacks; Path=/; Secure; HttpOnly

< Transfer-Encoding: chunked

< Date: Thu, 18 Jul 2019 09:20:36 GMT

< Expires: Thu, 01 Dec 1994 16:00:00 GMT

< Cache-Control: no-cache="set-cookie, set-cookie2"

< 

* Ignoring the response-body

* Connection #0 to host isamconfig left intact

* Issue another request to this URL: 'https://isamconfig:9443/core/login'

* Found bundle for host isamconfig: 0xb6bee0

* Re-using existing connection! (#0) with host isamconfig

* Connected to isamconfig (172.17.20.253) port 9443 (#0)

> GET /core/login HTTP/1.1

> User-Agent: curl/7.29.0

> Host: isamconfig:9443

> Accept: */*

> 

< HTTP/1.1 200 OK

< X-FRAME-OPTIONS: SAMEORIGIN

< Cache-Control: no-cache, no-store

< Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'

< X-Content-Type-Options: nosniff

< X-XSS-Protection: 1; mode=block

< Strict-Transport-Security: max-age=16070400; includeSubDomains

< Pragma: no-cache

< Content-Type: text/html;charset=utf-8

< Content-Language: en-US

< Set-Cookie: JSESSIONID=0000gJWTe1Ef-J9iABwMFIeJaAR:969cff36-5992-4f29-aa2e-60222dc40746; Path=/; Secure; HttpOnly

< Transfer-Encoding: chunked

< Date: Thu, 18 Jul 2019 09:20:37 GMT

< Expires: Thu, 01 Dec 1994 16:00:00 GMT

< 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<!-- IBM Confidential

  Object Code Only Source Materials

  5725-L52

  (c) Copyright International Business Machines Corp. 2012, 2016

  The source code for this program is not published or otherwise divested

  of its trade secrets, irrespective of what has been deposited with the

  U.S. Copyright Office. -->

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang='en' dir="ltr">

  <head>

    <meta http-equiv="Content-Type"   content="text/html; charset=UTF-8" />

    <meta http-equiv="pragma"         content="no-cache"/>

    <meta http-equiv="cache-control"  content="no-cache"/>

    <meta name="screen_id" content="Login::get" />

 

    <link rel="icon"          href="/images/favicon.ico" type="image/x-icon" />

    <link rel="shortcut icon" href="/images/favicon.ico" type="image/x-icon" />

 

    <meta name="csrf-param" content="authenticity_token"/>

    <meta name="csrf-token" content=""/>

 

 

    <meta name="cctxt" content=""/>

    <title>IBM Security Access Manager</title>

 

    <!-- ISAM CSS -->

    <link rel="stylesheet" type="text/css" href="/javascripts/dojo/dijit/themes/claro/claro.css" />

.

.

.

.

.

------------------------------
Samir Mehta
------------------------------