I have Deployed the template and spin up the pods in our internal openshift 3.7 environment.

Even though I see the pods now running , its seems it's still running with issues…

Issue 1) the runtime pod does not connect to config pod … On manual checking the URL only works with the –k flag ( no certs )

 

# oc logs pod/isamruntime-3243051175-35pb7

 

2019-07-18T01:27:55+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:03+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:10+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:18+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:27+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:38+0100: ---- Retrying....

Error: WGAWA0662E   An invalid response code was returned from the request to https://isamconfig:9443/shared_volume/fixpacks: 403

2019-07-18T01:28:49+0100: ---- Retrying....

 

# oc rsh isamruntime-3243051175-35pb7

 

sh-4.2$ curl -v https://isamconfig:9443/shared_volume/fixpacks

* About to connect() to isamconfig port 9443 (#0)

*   Trying 172.17.20.253...

* Connected to isamconfig (172.17.20.253) port 9443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

*   CAfile: /etc/pki/tls/certs/ca-bundle.crt

  CApath: none

* Server certificate:

*       subject: CN=isamconfig-2973007414-k1dv0

*       start date: Jul 16 23:44:54 2019 GMT

*       expire date: Jul 16 23:44:54 2020 GMT

*       common name: isamconfig-2973007414-k1dv0

*       issuer: CN=isamconfig-2973007414-k1dv0

* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)

* Issuer certificate is invalid.

* Closing connection 0

curl: (60) Issuer certificate is invalid.

More details here: http://curl.haxx.se/docs/sslcerts.html

 

curl performs SSL certificate verification by default, using a "bundle"

of Certificate Authority (CA) public keys (CA certs). If the default

bundle file isn't adequate, you can specify an alternate file

using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in

the bundle, the certificate verification probably failed due to a

problem with the certificate (it might be expired, or the name might

not match the domain name in the URL).

If you'd like to turn off curl's verification of the certificate, use

the -k (or --insecure) option.

sh-4.2$

 

 

sh-4.2$ curl -Lvk https://isamconfig:9443/shared_volume/fixpacks

* About to connect() to isamconfig port 9443 (#0)

*   Trying 172.17.20.253...

* Connected to isamconfig (172.17.20.253) port 9443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

* skipping SSL peer certificate verification

* NSS: client certificate not found (nickname not specified)

* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

* Server certificate:

*       subject: CN=isamconfig-2973007414-k1dv0

*       start date: Jul 16 23:44:54 2019 GMT

*       expire date: Jul 16 23:44:54 2020 GMT

*       common name: isamconfig-2973007414-k1dv0

*       issuer: CN=isamconfig-2973007414-k1dv0

> GET /shared_volume/fixpacks HTTP/1.1

> User-Agent: curl/7.29.0

> Host: isamconfig:9443

> Accept: */*

>

< HTTP/1.1 302 Found

< Location: https://isamconfig:9443/core/login

< Content-Language: en-US

< Set-Cookie: WASReqURL=https://:9443/shared_volume/fixpacks; Path=/; Secure; HttpOnly

< Transfer-Encoding: chunked

< Date: Thu, 18 Jul 2019 09:20:36 GMT

< Expires: Thu, 01 Dec 1994 16:00:00 GMT

< Cache-Control: no-cache="set-cookie, set-cookie2"

<

* Ignoring the response-body

* Connection #0 to host isamconfig left intact

* Issue another request to this URL: 'https://isamconfig:9443/core/login'

* Found bundle for host isamconfig: 0xb6bee0

* Re-using existing connection! (#0) with host isamconfig

* Connected to isamconfig (172.17.20.253) port 9443 (#0)

> GET /core/login HTTP/1.1

> User-Agent: curl/7.29.0

> Host: isamconfig:9443

> Accept: */*

>

< HTTP/1.1 200 OK

< X-FRAME-OPTIONS: SAMEORIGIN

< Cache-Control: no-cache, no-store

< Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'

< X-Content-Type-Options: nosniff

< X-XSS-Protection: 1; mode=block

< Strict-Transport-Security: max-age=16070400; includeSubDomains

< Pragma: no-cache

< Content-Type: text/html;charset=utf-8

< Content-Language: en-US

< Set-Cookie: JSESSIONID=0000gJWTe1Ef-J9iABwMFIeJaAR:969cff36-5992-4f29-aa2e-60222dc40746; Path=/; Secure; HttpOnly

< Transfer-Encoding: chunked

< Date: Thu, 18 Jul 2019 09:20:37 GMT

< Expires: Thu, 01 Dec 1994 16:00:00 GMT

<

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<!-- IBM Confidential

  Object Code Only Source Materials

  5725-L52

  (c) Copyright International Business Machines Corp. 2012, 2016

  The source code for this program is not published or otherwise divested

  of its trade secrets, irrespective of what has been deposited with the

  U.S. Copyright Office. -->

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang='en' dir="ltr">

  <head>

    <meta http-equiv="Content-Type"   content="text/html; charset=UTF-8" />

    <meta http-equiv="pragma"         content="no-cache"/>

    <meta http-equiv="cache-control"  content="no-cache"/>

    <meta name="screen_id" content="Login::get" />

 

    <link rel="icon"          href="/images/favicon.ico" type="image/x-icon" />

    <link rel="shortcut icon" href="/images/favicon.ico" type="image/x-icon" />

 

    <meta name="csrf-param" content="authenticity_token"/>

    <meta name="csrf-token" content=""/>

 

 

    <meta name="cctxt" content=""/>

    <title>IBM Security Access Manager</title>

 

    <!-- ISAM CSS -->

    <link rel="stylesheet" type="text/css" href="/javascripts/dojo/dijit/themes/claro/claro.css" />

.

.

.

.

.

.

 

Issue 2 ) The openldap pod is continuously getting completed followed by crashing

 

# oc get pods

NAME                           READY     STATUS    RESTARTS   AGE

isamconfig-2973007414-k1dv0    1/1       Running   16         11h

isamruntime-3243051175-35pb7   0/1       Running   0          11h

isamwrprp1-682827843-2k6wz     0/1       Running   0          11h

openldap-2629205293-8vzr0      1/1       Running   4          4m

postgresql-3938822541-dzdj4    1/1       Running   0          4m

 

 

# oc get pods

NAME                           READY     STATUS      RESTARTS   AGE

isamconfig-2973007414-k1dv0    1/1       Running     16         11h

isamruntime-3243051175-35pb7   0/1       Running     0          11h

isamwrprp1-682827843-2k6wz     0/1       Running     0          11h

openldap-2629205293-8vzr0      0/1       Completed   4          4m

postgresql-3938822541-dzdj4    1/1       Running     0          4m

 

# oc get pods

NAME                           READY     STATUS             RESTARTS   AGE

isamconfig-2973007414-k1dv0    1/1       Running            16         11h

isamruntime-3243051175-35pb7   0/1       Running            0          11h

isamwrprp1-682827843-2k6wz     0/1       Running            0          11h

openldap-2629205293-8vzr0      0/1       CrashLoopBackOff   4          4m

postgresql-3938822541-dzdj4    1/1       Running            0          5m

------------------------------
Mayur Wattamwar
------------------------------