Hi Team,

We have ISAM docker 9072 version in AWS EKS environment with istio proxy for ingress/egress traffic.

My backend application is deployed on WAS cluster which is fronted by AWS ALB. Traffic is like below
Istio ingress --> ISAM --> Istio egress --> AWS ALB --> WAS cluster

when we try to create non-ssl junction for backend app (ALB), able to create the junction but traffic is still not flowing and getting 0x38cf04d7. However, when are trying to create SSL junction with same backend (ALB), we are getting below error

DPWWA1222E A third-party server is not responding. Possible causes: the server is down, there is a hung application on the server, or network problems. This is not a problem with the WebSEAL server.
DPWIV1217W SSL connection error.
From webseal msg log: DPWIV1228W WebSEAL could not establish a secure connection to the server, xxxx, for the /abc junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).

ALB and WAS are listening on below ports
non-ssl port is 9080 
ssl port 9443

Since its kubernetes/istio environment not very sure how to trace ssl issues, any pointer would be great help.

Ideally Istio should be responsible for TLS security and do https between microservices. Here, we are trying to deal from ISAM WRP microservice to ALB backend so not sure

1) whether we should create SSL or non-SSL junction?
2) what could be the reason when using non-ssl junction, traffic is not flowing and getting DPWWA1239E error?

Please note that we did curl from ISAM WRP pod to same backend it was successful.

------------------------------
Amitesh Singh
------------------------------

Original Message:
Sent: 3/9/2021 8:17:00 PM
From: Amitesh Singh
Subject: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Hi Team,

We have ISAM docker 9072 version in AWS EKS environment with istio proxy for ingress/egress traffic.

My backend application is deployed on WAS cluster which is fronted by AWS ALB. Traffic is like below
Istio ingress --> ISAM --> Istio egress --> AWS ALB --> WAS cluster

when we try to create non-ssl junction for backend app (ALB), able to create the junction but traffic is still not flowing and getting 0x38cf04d7. However, when are trying to create SSL junction with same backend (ALB), we are getting below error

DPWWA1222E A third-party server is not responding. Possible causes: the server is down, there is a hung application on the server, or network problems. This is not a problem with the WebSEAL server.
DPWIV1217W SSL connection error.
From webseal msg log: DPWIV1228W WebSEAL could not establish a secure connection to the server, xxxx, for the /abc junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).

ALB and WAS are listening on below ports
non-ssl port is 9080 
ssl port 9443

Since its kubernetes/istio environment not very sure how to trace ssl issues, any pointer would be great help.

Ideally Istio should be responsible for TLS security and do https between microservices. Here, we are trying to deal from ISAM WRP microservice to ALB backend so not sure

1) whether we should create SSL or non-SSL junction?
2) what could be the reason when using non-ssl junction, traffic is not flowing and getting DPWWA1239E error?

Please note that we did curl from ISAM WRP pod to same backend it was successful.

------------------------------
Amitesh Singh
------------------------------

Hi Scott,

Thanks for your quick reply.

My understanding is also same like if using istio side-car then junction should be TCP junction.

I tested curl with https

curl -vi --cacert cpcacerts.cer https://cp-iwas-cluster-lb.xxxxxxxx:9443

Do you need any other info on this to help me out?

Appreciate your help.
Thanks,
Amitesh


------------------------------
Amitesh Singh
------------------------------

Original Message:
Sent: Tue March 09, 2021 08:51 PM
From: Scott Exton
Subject: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Amitesh,

 

I believe that due to the side-car approach of Istio using a TCP junction instead of an SSL junction is acceptable.  You will receive the DPWWA1239E error when WebSEAL is unable to connect to the specified server.  When you tested the curl command from within the WRP pod did you use http or https?  I would also check your junction definition because if curl is succeeding from the pod when using HTTP there should be no reason for WebSEAL to fail.

 

Thanks.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/9/2021 8:17:00 PM
From: Amitesh Singh
Subject: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Hi Team,

We have ISAM docker 9072 version in AWS EKS environment with istio proxy for ingress/egress traffic.

My backend application is deployed on WAS cluster which is fronted by AWS ALB. Traffic is like below
Istio ingress --> ISAM --> Istio egress --> AWS ALB --> WAS cluster

when we try to create non-ssl junction for backend app (ALB), able to create the junction but traffic is still not flowing and getting 0x38cf04d7. However, when are trying to create SSL junction with same backend (ALB), we are getting below error

DPWWA1222E A third-party server is not responding. Possible causes: the server is down, there is a hung application on the server, or network problems. This is not a problem with the WebSEAL server.
DPWIV1217W SSL connection error.
From webseal msg log: DPWIV1228W WebSEAL could not establish a secure connection to the server, xxxx, for the /abc junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).

ALB and WAS are listening on below ports
non-ssl port is 9080 
ssl port 9443

Since its kubernetes/istio environment not very sure how to trace ssl issues, any pointer would be great help.

Ideally Istio should be responsible for TLS security and do https between microservices. Here, we are trying to deal from ISAM WRP microservice to ALB backend so not sure

1) whether we should create SSL or non-SSL junction?
2) what could be the reason when using non-ssl junction, traffic is not flowing and getting DPWWA1239E error?

Please note that we did curl from ISAM WRP pod to same backend it was successful.

------------------------------
Amitesh Singh
------------------------------

Original Message:
Sent: 3/9/2021 9:25:00 PM
From: Amitesh Singh
Subject: RE: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Hi Scott,

Thanks for your quick reply.

My understanding is also same like if using istio side-car then junction should be TCP junction.

I tested curl with https

curl -vi --cacert cpcacerts.cer https://cp-iwas-cluster-lb.xxxxxxxx:9443

Do you need any other info on this to help me out?

Appreciate your help.
Thanks,
Amitesh


------------------------------
Amitesh Singh
------------------------------

Original Message:
Sent: Tue March 09, 2021 08:51 PM
From: Scott Exton
Subject: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Amitesh,

 

I believe that due to the side-car approach of Istio using a TCP junction instead of an SSL junction is acceptable.  You will receive the DPWWA1239E error when WebSEAL is unable to connect to the specified server.  When you tested the curl command from within the WRP pod did you use http or https?  I would also check your junction definition because if curl is succeeding from the pod when using HTTP there should be no reason for WebSEAL to fail.

 

Thanks.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/9/2021 8:17:00 PM
From: Amitesh Singh
Subject: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Hi Team,

We have ISAM docker 9072 version in AWS EKS environment with istio proxy for ingress/egress traffic.

My backend application is deployed on WAS cluster which is fronted by AWS ALB. Traffic is like below
Istio ingress --> ISAM --> Istio egress --> AWS ALB --> WAS cluster

when we try to create non-ssl junction for backend app (ALB), able to create the junction but traffic is still not flowing and getting 0x38cf04d7. However, when are trying to create SSL junction with same backend (ALB), we are getting below error

DPWWA1222E A third-party server is not responding. Possible causes: the server is down, there is a hung application on the server, or network problems. This is not a problem with the WebSEAL server.
DPWIV1217W SSL connection error.
From webseal msg log: DPWIV1228W WebSEAL could not establish a secure connection to the server, xxxx, for the /abc junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).

ALB and WAS are listening on below ports
non-ssl port is 9080 
ssl port 9443

Since its kubernetes/istio environment not very sure how to trace ssl issues, any pointer would be great help.

Ideally Istio should be responsible for TLS security and do https between microservices. Here, we are trying to deal from ISAM WRP microservice to ALB backend so not sure

1) whether we should create SSL or non-SSL junction?
2) what could be the reason when using non-ssl junction, traffic is not flowing and getting DPWWA1239E error?

Please note that we did curl from ISAM WRP pod to same backend it was successful.

------------------------------
Amitesh Singh
------------------------------

Hi Scott,

I tested curl with http as below and getting connection reset issue. 

curl -vi http://cp-iwas-cluster-lb.xxxxx:9080

* Rebuilt URL to: http://cp-iwas-cluster-lb.xxxxx:9080/
* Trying 10.xx.xx.xxx...
* TCP_NODELAY set
* Connected to cp-iwas-cluster-lb.atm.spcp.gov.sg (10.xx.xx.xxx) port 9080 (#0)
> GET / HTTP/1.1
> Host: cp-iwas-cluster-lb.xxxx:9080
> User-Agent: curl/7.61.1
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

------------------------------
Amitesh Singh
------------------------------

Original Message:
Sent: Tue March 09, 2021 09:29 PM
From: Scott Exton
Subject: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Amitesh,

 

Use curl to test connectivity to the http endpoint from the WRP pod.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Original Message:
Sent: 3/9/2021 9:25:00 PM
From: Amitesh Singh
Subject: RE: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Hi Scott,

Thanks for your quick reply.

My understanding is also same like if using istio side-car then junction should be TCP junction.

I tested curl with https

curl -vi --cacert cpcacerts.cer https://cp-iwas-cluster-lb.xxxxxxxx:9443

Do you need any other info on this to help me out?

Appreciate your help.
Thanks,
Amitesh


------------------------------
Amitesh Singh

Original Message:
Sent: Tue March 09, 2021 08:51 PM
From: Scott Exton
Subject: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Amitesh,

 

I believe that due to the side-car approach of Istio using a TCP junction instead of an SSL junction is acceptable.  You will receive the DPWWA1239E error when WebSEAL is unable to connect to the specified server.  When you tested the curl command from within the WRP pod did you use http or https?  I would also check your junction definition because if curl is succeeding from the pod when using HTTP there should be no reason for WebSEAL to fail.

 

Thanks.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/9/2021 8:17:00 PM
From: Amitesh Singh
Subject: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Hi Team,

We have ISAM docker 9072 version in AWS EKS environment with istio proxy for ingress/egress traffic.

My backend application is deployed on WAS cluster which is fronted by AWS ALB. Traffic is like below
Istio ingress --> ISAM --> Istio egress --> AWS ALB --> WAS cluster

when we try to create non-ssl junction for backend app (ALB), able to create the junction but traffic is still not flowing and getting 0x38cf04d7. However, when are trying to create SSL junction with same backend (ALB), we are getting below error

DPWWA1222E A third-party server is not responding. Possible causes: the server is down, there is a hung application on the server, or network problems. This is not a problem with the WebSEAL server.
DPWIV1217W SSL connection error.
From webseal msg log: DPWIV1228W WebSEAL could not establish a secure connection to the server, xxxx, for the /abc junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).

ALB and WAS are listening on below ports
non-ssl port is 9080 
ssl port 9443

Since its kubernetes/istio environment not very sure how to trace ssl issues, any pointer would be great help.

Ideally Istio should be responsible for TLS security and do https between microservices. Here, we are trying to deal from ISAM WRP microservice to ALB backend so not sure

1) whether we should create SSL or non-SSL junction?
2) what could be the reason when using non-ssl junction, traffic is not flowing and getting DPWWA1239E error?

Please note that we did curl from ISAM WRP pod to same backend it was successful.

------------------------------
Amitesh Singh
------------------------------

Original Message:
Sent: 3/9/2021 9:37:00 PM
From: Amitesh Singh
Subject: RE: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Hi Scott,

I tested curl with http as below and getting connection reset issue. 

curl -vi http://cp-iwas-cluster-lb.xxxxx:9080

* Rebuilt URL to: http://cp-iwas-cluster-lb.xxxxx:9080/
* Trying 10.xx.xx.xxx...
* TCP_NODELAY set
* Connected to cp-iwas-cluster-lb.atm.spcp.gov.sg (10.xx.xx.xxx) port 9080 (#0)
> GET / HTTP/1.1
> Host: cp-iwas-cluster-lb.xxxx:9080
> User-Agent: curl/7.61.1
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer

------------------------------
Amitesh Singh
------------------------------

Original Message:
Sent: Tue March 09, 2021 09:29 PM
From: Scott Exton
Subject: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Amitesh,

 

Use curl to test connectivity to the http endpoint from the WRP pod.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com	1 Corporate Court Bundall, QLD 4217 Australia

 

 

Original Message:
Sent: 3/9/2021 9:25:00 PM
From: Amitesh Singh
Subject: RE: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Hi Scott,

Thanks for your quick reply.

My understanding is also same like if using istio side-car then junction should be TCP junction.

I tested curl with https

curl -vi --cacert cpcacerts.cer https://cp-iwas-cluster-lb.xxxxxxxx:9443

Do you need any other info on this to help me out?

Appreciate your help.
Thanks,
Amitesh


------------------------------
Amitesh Singh

Original Message:
Sent: Tue March 09, 2021 08:51 PM
From: Scott Exton
Subject: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Amitesh,

 

I believe that due to the side-car approach of Istio using a TCP junction instead of an SSL junction is acceptable.  You will receive the DPWWA1239E error when WebSEAL is unable to connect to the specified server.  When you tested the curl command from within the WRP pod did you use http or https?  I would also check your junction definition because if curl is succeeding from the pod when using HTTP there should be no reason for WebSEAL to fail.

 

Thanks.

 

 

Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor

 

 

Original Message:
Sent: 3/9/2021 8:17:00 PM
From: Amitesh Singh
Subject: ISAM9-Docker: Issue in SSL junction creation for non-microservice backend servers

Hi Team,

We have ISAM docker 9072 version in AWS EKS environment with istio proxy for ingress/egress traffic.

My backend application is deployed on WAS cluster which is fronted by AWS ALB. Traffic is like below
Istio ingress --> ISAM --> Istio egress --> AWS ALB --> WAS cluster

when we try to create non-ssl junction for backend app (ALB), able to create the junction but traffic is still not flowing and getting 0x38cf04d7. However, when are trying to create SSL junction with same backend (ALB), we are getting below error

DPWWA1222E A third-party server is not responding. Possible causes: the server is down, there is a hung application on the server, or network problems. This is not a problem with the WebSEAL server.
DPWIV1217W SSL connection error.
From webseal msg log: DPWIV1228W WebSEAL could not establish a secure connection to the server, xxxx, for the /abc junction (Function call: gsk_secure_soc_init; failed error: 0x196 GSK_ERROR_IO).

ALB and WAS are listening on below ports
non-ssl port is 9080 
ssl port 9443

Since its kubernetes/istio environment not very sure how to trace ssl issues, any pointer would be great help.

Ideally Istio should be responsible for TLS security and do https between microservices. Here, we are trying to deal from ISAM WRP microservice to ALB backend so not sure

1) whether we should create SSL or non-SSL junction?
2) what could be the reason when using non-ssl junction, traffic is not flowing and getting DPWWA1239E error?

Please note that we did curl from ISAM WRP pod to same backend it was successful.

------------------------------
Amitesh Singh
------------------------------