Hi,

We are repeatedly (> once/sec ) seeing the following Warning messages in the Reverse proxy Log:

2020-11-10-08:48:39.800+00:00I----- 0x38AD54CB webseald WARNING wiv ssl WsSslListener.cpp 1386 0x7f3611122700
DPWIV1227W WebSEAL could not establish a secure connection with an incoming client. If client certificate authentication is not enabled check the WebSEAL server certificate (Function call: gsk_secure_soc_init; failed error: 0x19a GSK_ERROR_BAD_MESSAGE;xx.xx.xx.xx;-).
2020-11-10-08:48:40.450+00:00I----- 0x38AD54CB webseald WARNING wiv ssl WsSslListener.cpp 1386 0x7f3610cd1700
DPWIV1227W WebSEAL could not establish a secure connection with an incoming client. If client certificate authentication is not enabled check the WebSEAL server certificate (Function call: gsk_secure_soc_init; failed error: 0x19a GSK_ERROR_BAD_MESSAGE;yy.yy.yy.yy;-).
2020-11-10-08:48:41.571+00:00I----- 0x38AD54CB webseald WARNING wiv ssl WsSslListener.cpp 1386 0x7f3610a47700
DPWIV1227W WebSEAL could not establish a secure connection with an incoming client. If client certificate authentication is not enabled check the WebSEAL server certificate (Function call: gsk_secure_soc_init; failed error: 0x19a GSK_ERROR_BAD_MESSAGE;yy.yy.yy.yy;-).

The xx.xx.xx.xx Ip-adress is the internal Kubernetes address for the Pod, and yy.yy.yy.yy is the host adress of the server running the worker node.

We have not enabled client certificate authentication.
What does "check the WebSEAL server certificate" imply?

What/where to check and what action to perform depending on the check?

Is there some other log we can inspect to see what the failed 'incoming' request is?

Thanks in advance

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Original Message:
Sent: 11/10/2020 4:19:00 AM
From: Anders Domeij
Subject: ISVA 10.0 on Kubernetes -- Reverse Proxy SSL warnings in log

Hi,

We are repeatedly (> once/sec ) seeing the following Warning messages in the Reverse proxy Log:

2020-11-10-08:48:39.800+00:00I----- 0x38AD54CB webseald WARNING wiv ssl WsSslListener.cpp 1386 0x7f3611122700
DPWIV1227W WebSEAL could not establish a secure connection with an incoming client. If client certificate authentication is not enabled check the WebSEAL server certificate (Function call: gsk_secure_soc_init; failed error: 0x19a GSK_ERROR_BAD_MESSAGE;xx.xx.xx.xx;-).
2020-11-10-08:48:40.450+00:00I----- 0x38AD54CB webseald WARNING wiv ssl WsSslListener.cpp 1386 0x7f3610cd1700
DPWIV1227W WebSEAL could not establish a secure connection with an incoming client. If client certificate authentication is not enabled check the WebSEAL server certificate (Function call: gsk_secure_soc_init; failed error: 0x19a GSK_ERROR_BAD_MESSAGE;yy.yy.yy.yy;-).
2020-11-10-08:48:41.571+00:00I----- 0x38AD54CB webseald WARNING wiv ssl WsSslListener.cpp 1386 0x7f3610a47700
DPWIV1227W WebSEAL could not establish a secure connection with an incoming client. If client certificate authentication is not enabled check the WebSEAL server certificate (Function call: gsk_secure_soc_init; failed error: 0x19a GSK_ERROR_BAD_MESSAGE;yy.yy.yy.yy;-).

The xx.xx.xx.xx Ip-adress is the internal Kubernetes address for the Pod, and yy.yy.yy.yy is the host adress of the server running the worker node.

We have not enabled client certificate authentication.
What does "check the WebSEAL server certificate" imply?

What/where to check and what action to perform depending on the check?

Is there some other log we can inspect to see what the failed 'incoming' request is?

Thanks in advance

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Thanks Scott,

Any idea(s) of how to track down 'something' in a reverse proxy (or other) log?

Rgds

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Original Message:
Sent: Tue November 10, 2020 04:47 AM
From: Scott Exton
Subject: ISVA 10.0 on Kubernetes -- Reverse Proxy SSL warnings in log

Anders,

 

To me this looks like something might be trying to access the https port using http. 

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Original Message:
Sent: 11/10/2020 4:19:00 AM
From: Anders Domeij
Subject: ISVA 10.0 on Kubernetes -- Reverse Proxy SSL warnings in log

Hi,

We are repeatedly (> once/sec ) seeing the following Warning messages in the Reverse proxy Log:

2020-11-10-08:48:39.800+00:00I----- 0x38AD54CB webseald WARNING wiv ssl WsSslListener.cpp 1386 0x7f3611122700
DPWIV1227W WebSEAL could not establish a secure connection with an incoming client. If client certificate authentication is not enabled check the WebSEAL server certificate (Function call: gsk_secure_soc_init; failed error: 0x19a GSK_ERROR_BAD_MESSAGE;xx.xx.xx.xx;-).
2020-11-10-08:48:40.450+00:00I----- 0x38AD54CB webseald WARNING wiv ssl WsSslListener.cpp 1386 0x7f3610cd1700
DPWIV1227W WebSEAL could not establish a secure connection with an incoming client. If client certificate authentication is not enabled check the WebSEAL server certificate (Function call: gsk_secure_soc_init; failed error: 0x19a GSK_ERROR_BAD_MESSAGE;yy.yy.yy.yy;-).
2020-11-10-08:48:41.571+00:00I----- 0x38AD54CB webseald WARNING wiv ssl WsSslListener.cpp 1386 0x7f3610a47700
DPWIV1227W WebSEAL could not establish a secure connection with an incoming client. If client certificate authentication is not enabled check the WebSEAL server certificate (Function call: gsk_secure_soc_init; failed error: 0x19a GSK_ERROR_BAD_MESSAGE;yy.yy.yy.yy;-).

The xx.xx.xx.xx Ip-adress is the internal Kubernetes address for the Pod, and yy.yy.yy.yy is the host adress of the server running the worker node.

We have not enabled client certificate authentication.
What does "check the WebSEAL server certificate" imply?

What/where to check and what action to perform depending on the check?

Is there some other log we can inspect to see what the failed 'incoming' request is?

Thanks in advance

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Original Message:
Sent: 11/10/2020 6:52:00 AM
From: Anders Domeij
Subject: RE: ISVA 10.0 on Kubernetes -- Reverse Proxy SSL warnings in log

Thanks Scott,

Any idea(s) of how to track down 'something' in a reverse proxy (or other) log?

Rgds

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Original Message:
Sent: Tue November 10, 2020 04:47 AM
From: Scott Exton
Subject: ISVA 10.0 on Kubernetes -- Reverse Proxy SSL warnings in log

Anders,

 

To me this looks like something might be trying to access the https port using http. 

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Original Message:
Sent: 11/10/2020 4:19:00 AM
From: Anders Domeij
Subject: ISVA 10.0 on Kubernetes -- Reverse Proxy SSL warnings in log

Hi,

We are repeatedly (> once/sec ) seeing the following Warning messages in the Reverse proxy Log:

2020-11-10-08:48:39.800+00:00I----- 0x38AD54CB webseald WARNING wiv ssl WsSslListener.cpp 1386 0x7f3611122700
DPWIV1227W WebSEAL could not establish a secure connection with an incoming client. If client certificate authentication is not enabled check the WebSEAL server certificate (Function call: gsk_secure_soc_init; failed error: 0x19a GSK_ERROR_BAD_MESSAGE;xx.xx.xx.xx;-).
2020-11-10-08:48:40.450+00:00I----- 0x38AD54CB webseald WARNING wiv ssl WsSslListener.cpp 1386 0x7f3610cd1700
DPWIV1227W WebSEAL could not establish a secure connection with an incoming client. If client certificate authentication is not enabled check the WebSEAL server certificate (Function call: gsk_secure_soc_init; failed error: 0x19a GSK_ERROR_BAD_MESSAGE;yy.yy.yy.yy;-).
2020-11-10-08:48:41.571+00:00I----- 0x38AD54CB webseald WARNING wiv ssl WsSslListener.cpp 1386 0x7f3610a47700
DPWIV1227W WebSEAL could not establish a secure connection with an incoming client. If client certificate authentication is not enabled check the WebSEAL server certificate (Function call: gsk_secure_soc_init; failed error: 0x19a GSK_ERROR_BAD_MESSAGE;yy.yy.yy.yy;-).

The xx.xx.xx.xx Ip-adress is the internal Kubernetes address for the Pod, and yy.yy.yy.yy is the host adress of the server running the worker node.

We have not enabled client certificate authentication.
What does "check the WebSEAL server certificate" imply?

What/where to check and what action to perform depending on the check?

Is there some other log we can inspect to see what the failed 'incoming' request is?

Thanks in advance

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Thanks Scott,

I will doublecheck the lveliness probe settings in Kubernetes, and also see if the Loadbalancer migt be using a http 'are you alive' check.

Rgds

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------

Original Message:
Sent: Tue November 10, 2020 03:03 PM
From: Scott Exton
Subject: ISVA 10.0 on Kubernetes -- Reverse Proxy SSL warnings in log

Anders,

 

Unfortunately there are no WebSEAL log files which can be used to track down the client as the connection fails to be established.  The fact that this occurs so frequently would indicate that there is some bot in your environment which is sending these requests.  Have you double checked the liveness and readiness probes to ensure that they are using https and not http?

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Original Message:
Sent: 11/10/2020 6:52:00 AM
From: Anders Domeij
Subject: RE: ISVA 10.0 on Kubernetes -- Reverse Proxy SSL warnings in log

Thanks Scott,

Any idea(s) of how to track down 'something' in a reverse proxy (or other) log?

Rgds

------------------------------
Anders Domeij
CGI Sweden AB

Original Message:
Sent: Tue November 10, 2020 04:47 AM
From: Scott Exton
Subject: ISVA 10.0 on Kubernetes -- Reverse Proxy SSL warnings in log

Anders,

 

To me this looks like something might be trying to access the https port using http. 

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Original Message:
Sent: 11/10/2020 4:19:00 AM
From: Anders Domeij
Subject: ISVA 10.0 on Kubernetes -- Reverse Proxy SSL warnings in log

Hi,

We are repeatedly (> once/sec ) seeing the following Warning messages in the Reverse proxy Log:

2020-11-10-08:48:39.800+00:00I----- 0x38AD54CB webseald WARNING wiv ssl WsSslListener.cpp 1386 0x7f3611122700
DPWIV1227W WebSEAL could not establish a secure connection with an incoming client. If client certificate authentication is not enabled check the WebSEAL server certificate (Function call: gsk_secure_soc_init; failed error: 0x19a GSK_ERROR_BAD_MESSAGE;xx.xx.xx.xx;-).
2020-11-10-08:48:40.450+00:00I----- 0x38AD54CB webseald WARNING wiv ssl WsSslListener.cpp 1386 0x7f3610cd1700
DPWIV1227W WebSEAL could not establish a secure connection with an incoming client. If client certificate authentication is not enabled check the WebSEAL server certificate (Function call: gsk_secure_soc_init; failed error: 0x19a GSK_ERROR_BAD_MESSAGE;yy.yy.yy.yy;-).
2020-11-10-08:48:41.571+00:00I----- 0x38AD54CB webseald WARNING wiv ssl WsSslListener.cpp 1386 0x7f3610a47700
DPWIV1227W WebSEAL could not establish a secure connection with an incoming client. If client certificate authentication is not enabled check the WebSEAL server certificate (Function call: gsk_secure_soc_init; failed error: 0x19a GSK_ERROR_BAD_MESSAGE;yy.yy.yy.yy;-).

The xx.xx.xx.xx Ip-adress is the internal Kubernetes address for the Pod, and yy.yy.yy.yy is the host adress of the server running the worker node.

We have not enabled client certificate authentication.
What does "check the WebSEAL server certificate" imply?

What/where to check and what action to perform depending on the check?

Is there some other log we can inspect to see what the failed 'incoming' request is?

Thanks in advance

------------------------------
Anders Domeij
CGI Sweden AB
------------------------------