IBM Security Verify

 View Only
  • 1.  DPWWA3150E While creating junction

    Posted Sat April 15, 2023 02:48 AM
    Edited by Piyush Agrawal Sat April 15, 2023 06:04 AM

    Hello,

    We are getting following error while creating junction... on existing proxy on ISVA 10.0.4

    pdadmin sec_master> server task default-webseald-cruz create -t tcp -h cruz.dallas.ibm.com /myjunction

    Error: 
    DPWWM1318E Cannot create junction
    DPWWA3150E The key with the label, %s, was not located in the key file.

    Nice if anyone can help.
    This is blocking us going live



    ------------------------------
    Piyush Agrawal
    https://www.linkedin.com/in/piyush-norway/
    Gjensidige Norway
    ------------------------------



  • 2.  RE: DPWWA3150E While creating junction

    Posted Sat April 15, 2023 03:35 AM

    What is the actual command you're using?

    There must be some other parameters you're trying to use here, in addition to the sample command you've posted? (They'll be important to get better context of your issue at hand )

    My guess, you're trying to setup a mutual ssl junction, for which there is no matching in the pdsrv (or equivalent) keystore (or junction keystore , if you have that configured as separate keystore).



    (Obfuscate out the hostnames or other identifying information)



    ------------------------------
    HANS VANDEWEGHE
    ------------------------------



  • 3.  RE: DPWWA3150E While creating junction

    Posted Sat April 15, 2023 06:03 AM

    Thanks for reply @HANS VANDEWEGHE .

    Actual cmd looks like server task prod.domain.com-webseald-isam-dmz-prod create -f -t tcp -h P-001-270-200.dom.no -p 4259 /api-name



    ------------------------------
    Piyush Agrawal
    https://www.linkedin.com/in/piyush-norway/
    Gjensidige Norway
    ------------------------------



  • 4.  RE: DPWWA3150E While creating junction

    Posted Sat April 15, 2023 08:28 AM

    Ok, I wouldn't have expected this for -t tcp , for -t ssl it would have made more sense.

    Have you tried creating the junction via the LMI Junction Management panel as well?  Does it also fail in the same way there?


    A few things to look at maybe:
    - Are you using an Appliance Cluster?
    - Is SSL Key File synchronization in the cluster activated?
    - Are you able to open the SSL Key File from the LMI > System > SSL Management (on the LMI of that appliance where you're creating the junction)
    - From the LMI > Web > Reverse Proxy > isam-dmz-prod > Edit , on the dropdown for "SSL Certificate Key File", "SSL Server Certificate", "JCT Certificate Key File " (if used, by default it's not used...), when you look in the dropdown, does that present you with the same values as what you have currently configured?

    There is one thing that rings a bell, I don't know which version of ISVA it is exactly implemented in, but the underlying SSL provider that ISVA uses for it's Web features (Policy Server, WebSEAL) , aka GSKIT, in recent versions has moved away from the concept of "Default Certificates".
    So it might be worth scanning the WebSEAL conf file for ssl-keyfile-label entries in stanza's of enabled functionality (where you are explicitely wanting to send an SSL Key as part of a mutual SSL handshake )



    ------------------------------
    HANS VANDEWEGHE
    ------------------------------