IBM Security Verify

 View Only
  • 1.  SSL rust from reverse proxy to runtime error

    Posted 13 days ago

    Hi,
    we are seeing the following message repeatadly in the RP log

    {"instant":{"epochSecond":1663681408},"threadId":"0x7fd27cae0700","level":"ERROR","loggerName":"webseald","component":"wwa.soap","message_id":"0x38CF0B23","source":{"file":"AMWSOAPCall.cpp","line":434}, "content":"DPWWA2851E An error was returned from the SOAP server in cluster cluster1 when calling the ping interface: DPWIV1217W SSL connection error. (pd \/ wiv) (code: 0x38ad54c1)."}

    If I go to the reverse proxy instance command line and do

    [isam@isva-1-3-isvawrp-webseal-6dc9bcd5b9-dt2fx /]$ curl https://isva-1-3-isvaruntime:9443/mga
    curl: (60) SSL certificate problem: self signed certificate
    More details here: https://curl.haxx.se/docs/sslcerts.html

    curl failed to verify the legitimacy of the server and therefore could not
    establish a secure connection to it. To learn more about this situation and
    how to fix it, please visit the web page mentioned above.
    The certificate is not recognized :-(

    Wheras

    [isam@isva-1-3-isvawrp-webseal-6dc9bcd5b9-dt2fx /]$ curl -k https://isva-1-3-isvaruntime:9443/mga
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <meta content="en-us" name="DC.Language" />
    <!-- All rights reserved. Licensed Materials Property of IBM -->
    <!-- US Government Users Restricted Rights -->
    <!-- Use, duplication or disclosure restricted by -->
    <!-- GSA ADP Schedule Contract with IBM Corp. -->
    <meta name="copyright" content="(C) Copyright IBM Corporation 2013" />
    <meta name="DC.rights.owner"
    content="(C) Copyright IBM Corporation 2013" />
    <meta name="DC.Title"
    content="WebSphere Application Server Version V8.5 Liberty Profile - Context Root Not Found" />
    <title data-externalizedString="CONTEXT_ROOT_NOT_FOUND"></title>
    <style>
    body {

    seemingly works as it returns some html indicating to me, at least,  that mga is installed in the runtime component.

    How do I update the trust to the runtime server?


    Thanks in advance
    Anders



    ------------------------------
    Anders Domeij
    CGI Sweden AB
    ------------------------------


  • 2.  RE: SSL rust from reverse proxy to runtime error

    Posted 13 days ago

    Anders,

     

    In order to add trust for the runtime server you need to add the signer certificate to the key file which is defined by the ssl-keyfile configuration entry in your cluster configuration stanza.  If the keyfile configuration entry is not present in that stanza WebSEAL will default to the ssl-keyfile configuration entry in the 'ssl' stanza.

     

    I hope that this helps.

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     






  • 3.  RE: SSL rust from reverse proxy to runtime error

    Posted 12 days ago
    Hi Scott,

    Thanks for the swift answer.
    We don't have a a designated .kbd file for the runtime server all certificates are in  the "standard" locations found in the System->SSL settings menu.

    So ty amend my question -- how do I retrieve the certificate from the runtime server in a containerized (Kubernetes/docker) environment and what Standard key file should I update?

    Thanks in advance
    Anders

    ------------------------------
    Anders Domeij
    CGI Sweden AB
    ------------------------------



  • 4.  RE: SSL rust from reverse proxy to runtime error

    Posted 11 days ago

    Anders,

     

    There is always a designated SSL file which is used.  If you don't specifically set one in the cluster stanza it will default to the SSL file which is specified in the ssl stanza.

     

    There are a number of ways in which you can retrieve the SSL file from the runtime server:

    1. Use the 'load' functionality from the LMI (i.e. open the destination SSL key file, open the signer certificates tab, and select 'load' from the menu).
    2. Export the certificate from the runtime key file using the LMI, and then import this certificate into the destination keyfile.

     

    I hope that this helps.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">