WebSphere Application Server & Liberty

WebSphere Application Server & Liberty

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

SSL/HTTPS issue in WAS 8.5.4

  • 1.  SSL/HTTPS issue in WAS 8.5.4

    Posted Mon August 01, 2016 02:37 AM

    SSL/HTTPS issue in WAS 8.5.4

     

    we have issue while accessing the application using ssl/https, when we hit the application url using https we are getting internal server error and webserver log shows "10.111.198.117 - - [01/Aug/2016:16:29:54 +1000] "GET /aveksa/main HTTP/1.1" 500 625",same applcation url is working fine using http. Can any one shower some light on this topic

     

    Steps performed are

    1) applcation and webserver is up and running( restarted)

    2) added ssl part as below

    3) generated  plugin


    #LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    #Listen 443
    #
    #SSLEnable
    #
    #KeyFile /opt/IBM/IBMHTTPD/ihsserverkey.kdb
    #SSLDisable
    # End of example SSL configuration
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    Listen 443

    SSLEnable
    KeyFile /opt/IBM/IBMHTTPD/conf/NSEVAGSStagingWeb1.kdb
    SSLStashfile /opt/IBM/IBMHTTPD/conf/NSEVAGSStagingWeb1.sth

    SSLDisable
    RewriteEngine on
    RewriteRule ^/$ /aveksa/main [L,R]
    RedirectMatch ^/$ /aveksa/main
    RedirectMatch ^/aveksa$ /aveksa/main

     

     

    Plugin log error when hit using https

    Plugin error stag


    [28/Jul/2016:12:34:24.93573] 000011fc 9d655700 - ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_SOCKET_CLOSED(gsk rc = 420) PARTNER CERTIFICATE DN=No Information Available, Serial=No Information Available
    [28/Jul/2016:12:34:24.93593] 000011fc 9d655700 - ERROR: ws_common: websphereGetStream: Could not open stream
    [28/Jul/2016:12:34:24.93601] 000011fc 9d655700 - ERROR: ws_common: websphereExecute: Failed to create the stream
    [28/Jul/2016:12:34:24.93604] 000011fc 9d655700 - ERROR: ws_server: serverSetFailoverStatus: Marking NSEVAGSStagingApp2Node01_NSEVAGSStaging2 down
    [28/Jul/2016:12:34:24.93606] 000011fc 9d655700 - ERROR: ws_common: websphereHandleRequest: Failed to execute the transaction to 'NSEVAGSStagingApp2Node01_NSEVAGSStaging2' on host 'NSEVAGSStagingApp2:8444'; will try another one
    [28/Jul/2016:12:34:24.94818] 000011fc 9d655700 - ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414) PARTNER CERTIFICATE DN=CN=server,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US, Serial=54:8e:13:05:82:8c:83:0b:97:23:d3:9f:3e:8c:19:50:90:da:a1:30
    [28/Jul/2016:12:34:24.94830] 000011fc 9d655700 - ERROR: ws_common: websphereGetStream: Could not open stream
    [28/Jul/2016:12:34:24.94836] 000011fc 9d655700 - ERROR: ws_common: websphereExecute: Failed to create the stream
    [28/Jul/2016:12:34:24.94844] 000011fc 9d655700 - ERROR: ws_server: serverSetFailoverStatus: Marking NSEVAGSStagingApp1Node01_NSEVAGSStaging1 down
    [28/Jul/2016:12:34:24.94847] 000011fc 9d655700 - ERROR: ws_common: websphereHandleRequest: Failed to execute the transaction to 'NSEVAGSStagingApp1Node01_NSEVAGSStaging1' on host 'NSEVAGSStagingApp1:8444'; will try another one
    [28/Jul/2016:12:34:24.94850] 000011fc 9d655700 - ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find an app server to handle this request
    [28/Jul/2016:12:34:24.94852] 000011fc 9d655700 - ERROR: ESI: getResponse: failed to get response: rc = 2
    [28/Jul/2016:12:34:24.94855] 000011fc 9d655700 - ERROR: ws_common: websphereHandleRequest: Failed to handle request



     

     

     



  • 2.  RE: SSL/HTTPS issue in WAS 8.5.4

    Posted Tue August 02, 2016 10:09 AM

    If this is integrated with in WebSphere ISC, can you do this on the console ?

    Web servers> servername -> Plug-in properties

    Hit the button Copy to Web Server key store directory

     

     



  • 3.  RE: SSL/HTTPS issue in WAS 8.5.4

    Posted Tue August 02, 2016 01:41 PM

    Hi

     

    Its quite simple copy the files trust.p12 and key.p12 frm WAS app server to plugin key store dir.

     

    Thanks

    Gautam

    Sr. Middleware Technology Architect / Consultant

    +919791064487

     



  • 4.  RE: SSL/HTTPS issue in WAS 8.5.4

    Posted Wed August 03, 2016 04:15 PM

    if we have ND environment, the which trust.p12 and key.p12 that we need use?  from deployment manager or Node ?

    I am runnning WAS 8.5.5. and runing into this issue since we run apache as web server/plugin and it is not part of DM.



  • 5.  RE: SSL/HTTPS issue in WAS 8.5.4

    Posted Thu August 04, 2016 03:19 AM

    I have added those root/node certs to Plugin-kdb and resatarted/generated plugin but still it doesnot working. 

    Note:

    IHS is on one box and app/ dmgr are on another box.



  • 6.  RE: SSL/HTTPS issue in WAS 8.5.4

    Posted Thu August 04, 2016 06:03 AM

    [28/Jul/2016:12:34:24.94818] 000011fc 9d655700 - ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414) PARTNER CERTIFICATE DN=CN=server,OU=Aveksa,O=Aveksa,L=Waltham,ST=Massachusetts,C=US, Serial=54:8e:13:05:82:8c:83:0b:97:23:d3:9f:3e:8c:19:50:90:da:a1:30  
      plugin does not like the cert(s) in play8:28:17 PM

    As per above error there are two reasons, one application server cert is curropted, we can rule out this if application is accessible with AppServer secure port number with out any secutiry exceptions,
    Second reason, I am assuming WebServer and AppServer are in same machine and you have requested cert with webserver kdb and then converted kdb to p12 and using it for AppServer. In this case cert might have been curropted.

    Redoing SSL and exchanging certs should address the issue,



  • 7.  RE: SSL/HTTPS issue in WAS 8.5.4

    Posted Thu August 04, 2016 10:56 AM

    Verify that the request is trying to go to the SSL port on the AppServer.  It looks like you're using a self signed cert so you need to add the root certificate to the NodeDefaultKeyStore as well.  There are many ways to handle this, one way, if your IHS is running port 443 fine, use the "retrive from port" option to get the signer, you can find this in the WAS docs.



  • 8.  RE: SSL/HTTPS issue in WAS 8.5.4

    Posted Wed August 10, 2016 11:47 AM

    Have you re copied the plugin-key.kdb file?  In the WAS console you can do this via Web Servers - [your server] - Plug-in Properties, then click Copy to Web server Key store directory.  

    This is typically how we solve this problem.  You showed your virtual host section for apache/ihs, but its getting past that and being handed off to the plugin which has its own key database file.  



  • 9.  RE: SSL/HTTPS issue in WAS 8.5.4

    Posted Thu August 11, 2016 01:25 AM

    Hi, Thanks for the response, however issue still persists.

    Request is not reaching app server if we use https,

    https url works fine if we directly hit application server,

    additionally i have added root cert to IHS server and also to the plug-in.kdb too( i mean signer certificates)

     

    Please advise if there is any way to resolve it

     

     



  • 10.  RE: SSL/HTTPS issue in WAS 8.5.4

    Posted Thu August 11, 2016 01:34 AM

    Have a look on this techdoc:

    http://www-01.ibm.com/support/docview.wss?uid=swg21678983



  • 11.  RE: SSL/HTTPS issue in WAS 8.5.4

    Posted Thu August 11, 2016 01:39 AM

    As a last resort, you can disable https communications between the plug-in and the application server.

    If you need help for this, let me know.



  • 12.  RE: SSL/HTTPS issue in WAS 8.5.4

    Posted Thu August 11, 2016 02:03 AM

    Hi,

     

    I have already tried the tech notes which u provided but it dint work



  • 13.  RE: SSL/HTTPS issue in WAS 8.5.4

    Posted Thu August 11, 2016 02:15 AM

    As I told you, you can disable the https communications between the IHS plug-in and the application server. In this way, you can bypass your issue, and the application would be available via HTTPS.



  • 14.  SSL/HTTPS issue in WAS 8.5.4

    Posted Thu August 11, 2016 08:13 AM
    Yes by disabling the https, manually, it does work but with next application deployment or new plugin generation will create same issue and manual intervention required again to disable https.

    Is there any way to disable https during plugin generation ?


    Thanks,
    Keyur Patel
    (847) 442-9671

    From: Panagiotis Chavariotis [mailto:applicationserver-ws@lists.imwuc.org]
    Sent: Thursday, August 11, 2016 1:15 AM
    To: ApplicationServer-ws@lists.imwuc.org
    Subject: [ApplicationServer-ws] - RE: SSL/HTTPS issue in WAS 8.5.4


    As I told you, you can disable the https communications between the IHS plug-in and the application server. In this way, you can bypass your issue, and the application would be available via HTTPS.

    -----End Original Message-----


  • 15.  RE: SSL/HTTPS issue in WAS 8.5.4

    Posted Thu August 11, 2016 08:40 AM

    Of course there is a way.

    please check the following technote:

    http://www-01.ibm.com/support/docview.wss?uid=swg21452735



  • 16.  RE: SSL/HTTPS issue in WAS 8.5.4

    Posted Thu August 11, 2016 08:58 AM

    Check to make sure the plugin key database is being updated.  You can also delete it from the plugin folder then have the WAS console recopy.  I can't imagine this being more of an issue than that.  Also you can run some commands (ikeyman or gsk7cmd) against the plugin key file to take a look at the keys that are in it.  Most of the issues are just a disconnect between what you see in the WAS console and what is in the actual key file.  

    Disabling HTTPS between the plugin and WebSphere would work, but that opens up security holes which you may or may not care about.  



Related Content