Yup, I saw the message earlier in an email which had blocked the screenshot. Looking at the screenshot you shared online rang a bell and I was able to download the three certificates and import them. Now I am able to access https://resource-server-demo.verify.ibm.com/ through a junction and will try to repeat the process with other sites as needed.
Original Message:
Sent: Thu August 15, 2024 08:28 AM
From: Philip Nye
Subject: Cookbook for creating a standard junction
Further to your DM, you can get the certificate by navigating to the site in your standard browser, and viewing the certificate (click on the padlock in the URL bar) and downloading it from there. My screenshot above was from Firefox.
------------------------------
Philip Nye
Senior Product Manager - IBM Verify
Original Message:
Sent: Thu August 15, 2024 07:56 AM
From: Philip Nye
Subject: Cookbook for creating a standard junction
Hi Narayan,
Its possibly network related - given it works - as you've said in the containers, but be sure to include all three certificates in your pdsrv keystore - you can download them in your browser.
And then - most importantly restart the reverse proxy after adding the certs and deploying the changes.
There isn't much more too it - assuming you've done the SNI settings.
------------------------------
Philip Nye
Senior Product Manager - IBM Verify
Original Message:
Sent: Thu August 15, 2024 07:46 AM
From: Narayan Verma
Subject: Cookbook for creating a standard junction
Thanks Philip!
I created a junction named ibmdemo for https://resource-server-demo.verify.ibm.com/ on my container based installation and it works well - possibly because it has the necessary certificates from some previous testing. However, I get the following error when trying to create it on my appliance based application:
System Warning
DPWWA1222E A third-party server is not responding. Possible causes: the server is down, there is a hung application on the server, or network problems. This is not a problem with the WebSEAL server.
DPWIV1216E The junctioned server presented an invalid certificate.
DPWWM1432W
NOTE: Ensure the CA root certificate used to sign the junctioned server certificate is installed in the WebSEAL certificate key database.
Created junction at /ibmdemo
Also, I get the below runtime error when accessing it:
Third-party server not responding
The resource you have requested is located on a third-party server. Access Manager has attempted to send your request to that server, but it is not responding.
Could you please share the link to the video/cookbook or any write-up for identifying/getting the necessary certificates and installing them into ISVA?
Thanks,
Narayan
------------------------------
Narayan Verma
Original Message:
Sent: Thu August 15, 2024 02:38 AM
From: Philip Nye
Subject: Cookbook for creating a standard junction
Hey Narayan,
Be sure to restart the Reverse Proxy after importing the certificate, as only then will it pick up the latest files.
Additionally, we have a demo 'resource server' - https://resource-server-demo.verify.ibm.com/
And I've had issues in the past configuring it - and it was related to not supplying SNI headers to the backend server.
You can see the SNI settings at the bottom.
And you should get a nice useful output of headers and so forth:
------------------------------
Philip Nye
IBM
Gold Coast
Original Message:
Sent: Wed August 14, 2024 05:13 PM
From: Narayan Verma
Subject: Cookbook for creating a standard junction
Could someone please share a cookbook for creating a standard junction, specifically for an external site like IBM.com or Microsoft.com for testing purposes?
At some point I saw a video describing this process with microsoft.com and I utilized it successfully for a container based app. I am trying to do the same for an appliance based installation and and am currently stuck at importing the CA certificates for the public site into the ISVA and am getting the following error when hitting the junction:
DPWWA1222E A third-party server is not responding. Possible causes: the server is down, there is a hung application on the server, or network problems. This is not a problem with the WebSEAL server.
DPWIV1216E The junctioned server presented an invalid certificate.
DPWWM1432W
NOTE: Ensure the CA root certificate used to sign the junctioned server certificate is installed in the WebSEAL certificate key database.
Created junction at /ms
Thanks,
Narayan
------------------------------
Narayan Verma
------------------------------