IBM Verify

 View Only
  • 1.  Cookbook for creating a standard junction

    Posted 23 days ago

    Could someone please share a cookbook for creating a standard junction, specifically for an external site like IBM.com or Microsoft.com for testing purposes?

    At some point I saw a video describing this process with microsoft.com and I utilized it successfully for a container based app.  I am trying to do the same for an appliance based installation and and am currently stuck at importing the CA certificates for the public site into the ISVA and am getting the following error when hitting the junction:

    DPWWA1222E A third-party server is not responding. Possible causes: the server is down, there is a hung application on the server, or network problems. This is not a problem with the WebSEAL server.
    DPWIV1216E The junctioned server presented an invalid certificate.

    DPWWM1432W
    NOTE: Ensure the CA root certificate used to sign the junctioned server certificate is installed in the WebSEAL certificate key database.
    Created junction at /ms

    Thanks,

    Narayan



    ------------------------------
    Narayan Verma
    ------------------------------


  • 2.  RE: Cookbook for creating a standard junction

    Posted 23 days ago
    Edited by Philip Nye 23 days ago

    Hey Narayan, 

    Be sure to restart the Reverse Proxy after importing the certificate, as only then will it pick up the latest files. 

    Additionally, we have a demo 'resource server' - https://resource-server-demo.verify.ibm.com/

    And I've had issues in the past configuring it - and it was related to not supplying SNI headers to the backend server. 

    You can see the SNI settings at the bottom. 

    And you should get a nice useful output of headers and so forth:



    ------------------------------
    Philip Nye
    IBM
    Gold Coast
    ------------------------------



  • 3.  RE: Cookbook for creating a standard junction

    Posted 23 days ago

    Thanks Philip!

    I created a junction named ibmdemo for  https://resource-server-demo.verify.ibm.com/ on my container based installation and it works well - possibly because it has the necessary certificates from some previous testing.  However, I get the following error when trying to create it on my appliance based application:

    System Warning

    DPWWA1222E A third-party server is not responding. Possible causes: the server is down, there is a hung application on the server, or network problems. This is not a problem with the WebSEAL server.
    DPWIV1216E The junctioned server presented an invalid certificate.

    DPWWM1432W
    NOTE: Ensure the CA root certificate used to sign the junctioned server certificate is installed in the WebSEAL certificate key database.
    Created junction at /ibmdemo

    Also, I get the below runtime error when accessing it:

    Third-party server not responding
    The resource you have requested is located on a third-party server. Access Manager has attempted to send your request to that server, but it is not responding.
    Could you please share the link to the video/cookbook or any write-up for identifying/getting the necessary certificates and installing them into ISVA?
    Thanks,
    Narayan


    ------------------------------
    Narayan Verma
    ------------------------------



  • 4.  RE: Cookbook for creating a standard junction

    Posted 23 days ago

    Hi Narayan, 

    Its possibly network related - given it works - as you've said in the containers, but be sure to include all three certificates in your pdsrv keystore - you can download them in your browser.

    And then - most importantly restart the reverse proxy after adding the certs and deploying the changes. 

    There isn't much more too it - assuming you've done the SNI settings. 



    ------------------------------
    Philip Nye
    Senior Product Manager - IBM Verify
    ------------------------------



  • 5.  RE: Cookbook for creating a standard junction

    Posted 23 days ago

    Further to your DM, you can get the certificate by navigating to the site in your standard browser, and viewing the certificate (click on the padlock in the URL bar) and downloading it from there. My screenshot above was from Firefox. 



    ------------------------------
    Philip Nye
    Senior Product Manager - IBM Verify
    ------------------------------



  • 6.  RE: Cookbook for creating a standard junction

    Posted 23 days ago

    Yup, I saw the message earlier in an email which had blocked the screenshot.  Looking at the screenshot you shared online rang a bell and I was able to download the three certificates and import them.  Now I am able to access https://resource-server-demo.verify.ibm.com/ through a junction and will try to repeat the process with other sites as needed.

    Thanks a lot for your help, truly appreciate it!

    Regards,

    Narayan



    ------------------------------
    Narayan Verma
    ------------------------------