IBM HTTP Server + WAS 6.1
fabianc...@gmail.com
I have installed IBM HTTP Server and WAS 6.1 on Linux system. I have also followed IBM docs to setup SSL. I am still unable to use https://servername/snoop. I have tried re-generating the Plugin file, but the plugin logs shows an error: r_gsk_secure_soc_init BAD_CERT.
Can anyone help me with this. You can send me any docs to recheck the SSL configuration.
Thanks
Fabian
cle...@us.ibm.com
If so, this link may help.
Unfortunately, it is old (v4), and may be a little confusing. Anyone know of a better link for this? The issue has been discussed here in the past, you could do a search.
fabianc...@gmail.com
I have followed the steps given in the link, but no help. Also I would like to inform that I have followed the steps given in the Doc, Configuring IBM HTTP server for SSL, to enable SSL.
Your inputs would be appreciated.
Thanks
Fabian
Sunit Patke
port 443 has been defined to hosta aliases in the virtual host. If not then
do so, regenerate the plug-in and restart everything.
- Sunit
<fabianc...@gmail.com> wrote in message
news:1498611351.118094454...@ltsgwas009.sby.ibm.com...
fabianc...@gmail.com
I am able to get
http://servername/snoop
http://servername:9080/snoop
https://servername:9443/snoop
But unable to get https://servername/snoop
Port 443 is already defined in environment->virtualhosts->hostaliases.
The httpd.conf file entries are listed below:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
Listen 443
<VirtualHost *:443>
Keyfile "/opt/IBM/HTTPServer/BM/serverkey.kdb"
SSLEnable
SSLClientAuth 0
Also I have tried this:
<IfModule mod_ibm_ssl.c>
Listen 443
<VirtualHost *:443>
SSLEnable
</VirtualHost>
</IfModule>
SSLDisable
KeyFile "/opt/IBM/HTTPServer/serverkey.kdb"
I have tried both the settings one at a time. But to no luck. I am also attaching the plugin log file for your reference.
Sunit Patke
comment out the WAS plugin from httpd.conf and try connecting to the
webserver alone with HTTPS. Once this works correctly, re-enable the WAS
plug-in and restart IHS. See error_log for any errors.
- Sunit
<fabianc...@gmail.com> wrote in message
news:1778597484.118096863...@ltsgwas010.sby.ibm.com...
fabianc...@gmail.com
I am able to use https://servername without any issues. Also i have tried the suggestions given by you to comment out the Plugin file in httpd.conf file but no luck.
Also checked the http_plugin.log still get the same (ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414)) error message.
Also can anyone let me know is there is any support site from IBM where I can log a call for this and get inputs from them.
Thanks for all the inputs.
Fabian
Eric Covener
Depending on where you were in the handshake, either WAS can't validate
the SSL certificate used by the plugin or the other way around.
Check expiration and trust chain.
Sunit Patke
as a signer certificate. You will have to see the plugin config file to find
the name of kdb file you are using. This happening because your
configuration is using SSL between IHS and WAS. It is possible to use SSL
only between browser and IHS.
- Sunit
<fabianc...@gmail.com> wrote in message
news:1480048345.118102590...@ltsgwas009.sby.ibm.com...
cle...@us.ibm.com
Earlier, I pointed you to a link that fixes a similar problem. I had this happen last month with the same symtoms as yours and it fixed mine. That link was for V4 and was rather confusing. I have documented the steps I took below:
fred
---------------------------------------------------
The following error is generated if your WebSphere Application Server SSL
certificate is not trusted by the WebSphere Application Server Plugin
configured for the IBM HTTP Server:
ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init:
GSK_ERROR_BAD_CERT(gsk rc = 414)
To fix this error:
Extract the default Personal Certificate
1. Login to the WebSphere Application Server Administrative Console
2. Select Security > SSL certificate and key management > Key Stores and certificates
3. Select NodeDefaultKeyStore for a stand-alone deployment or
CellDefaultKeyStore for a network deployment.
4. Click Personal Certificates, select the default check box, and then click Extract.
5. Give the extracted file a path and name, such as: /root/defaultCert.ARM.
Note: The convention is to give the file a .ARM extension.
6. Leave encoding set to Base64.
7. Click OK.
Locate your *.kdb file
1. In the httpd.conf file, find the directory in which the plugin-cfg.xml file is
stored by searching for the WebSpherePluginConfig line. It should look something like this:
WebSpherePluginConfig "/opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-cfg.xml"
2. Find the directory in which the key database file (*.kdb) is stored by searching
for the term "keyring" in the plugin-cfg.xml file. For example:
<Property Name="keyring" Value="/opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb"/>
Note this location as you will need to use it later.
Add the extracted certificate to your key database file
1. Go to the directory for ikeyman and start it:
cd /opt/IBM/HTTPServer/bin
./ikeyman
2. Click Key Database File > Open, and then select a key database type of CMS.
3. Specify the filename and loacation you found above. For example: plugin-key.kdb and
/opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb
4. Click OK, and then enter the password. Note: If you have not given this file another password,
the default password from WebSphere Application Server is WebAS (case sensitive).
5. Click Personal Certificates drop down and then select Signer Certificates.
6. Click Add.
7. Browse to the file you exported with the extension *.ARM, Select it, then Open and click OK. Supply a name if prompted.
8. Select Key Database File > Save As and save to the original location.
9. Select Key Database File > Exit.
10. Restart the IBM HTTP Server.
fabianc...@gmail.com
I have checked the expiry date of the SSL certificate and trust chain. I would like to recheck the trust chain, please let me know how to do that.
Regards
Fabian
fabianc...@gmail.com
I checked the kdb file used by the plugin file as a signer certificate. I have also checked the name of the kdb file but issue persists.
Regards
Fabian
fabianc...@gmail.com
I have tried all the steps given by you but the issue persists. Fred, I would like to know this step:
Select Key Database File > Save As and save to the original location.
At this point you would want me to save the file with the default name (key.kdb)and the default location. I have done this but issue persists.
Regards
Fabian
Eric Covener
Every cert contains a subject and issuer. On top-level certificate
authorities certificates, the subject and issuer are the same.
You declare that you trust a given certificate authority by including it
in your KDB 'signer certs'section and having the "trusted" box checked.
Any other certificate your server comes in contact with must be able to
trace back to a certificate authority that you already trust.
Simplified, when you make a conncetion from the plugin to WAS, whoever
issued/signed the WAS certificate must exist as a trusted cert authority
in your plugin KDB file.
The opposite may also be true, but usually the plugin does not provide a
client certificate to WAS.
cle...@us.ibm.com
That was confusing to me too. When I was preparing SSL, I used ikeyman as well, and created a key database using the default key.kdb and put it in the default /bin directory.
Then, later, I encountered the problem you have and started following directions to work on the /opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb file instead of the one I made earlier. That was the one my plugin-cfg.xml file pointed me to.
What I meant in that step was to save it back to the same name you opend it as: /opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb (ikeyman did not have a save, only a save as).
fabianc...@gmail.com
I tried all the steps mentioned but the issue persists. Can you pls send me a link to configure/recheck SSL. Along if you need any other details then please let me know.
Regards
Fabian
cle...@us.ibm.com
Sunit Patke
Sunit
<fabianc...@gmail.com> wrote in message
news:1666892220.118145607...@ltsgwas009.sby.ibm.com...
fabianc...@gmail.com
I have followed the same steps but was getting the GSK_ERROR_BAD_CERT(gsk rc = 414) error message.
Then I followed the steps given by you to resolve the error but issue persists.
Any other inputs would be appreciated.
Regards
Fabian
cle...@us.ibm.com
Fixpack 3:
6.1.0.3: WebSphere Application Server V6.1.0 Fix Pack 3 for Linux
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24013772
Files:
6.1.0-WS-AppClient-LinuxX32-FP0000003.pak (not needed in my case)
6.1.0-WS-IHS-LinuxX32-FP0000003.pak
6.1.0-WS-PLG-LinuxX32-FP0000003.pak
6.1.0-WS-WAS-LinuxX32-FP0000003.pak
Update Installer:
It is best to get the latest Update installer rather than using the launchpad to install the one shipped with WAS 6.1.
Update Installer for WebSphere Application Server V6.1 releases
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24012718
File: download.updii.6101.linux.ia32.zip
Fixpack 3 readme:
Readme for IBM WebSphere Application Server version 6.1.0.3
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27008686
fabianc...@gmail.com
I have tried all the suggestions given, also applied fix pack 9. I have tried to recheck and redo the settings, but get the same error message.
Fred can you give me the steps to configure SSL, I would like to know if I have followed the right steps.
Below are the steps that I have followed to configure SSL.
1. Created a new KDB file using the ikeyman utility.
2. Created a new Self-Signed certificate.
3. Extracted the Cert.arm to a specific folder.
4. Added the Cert.arm file
5. Configured the httpd.conf file to enable SSL configuration and restarted the HTTP server.
6. Configured the Environment settings (Virtual hosts) in WAS and restarted the WAS.
Please confirm if the above mentioned steps are correct and enough and let me know if I am missing something.
Thanks and regards
Fabian
Eric Covener
You weren't very clear in the steps you performed.
You have a self-signed certificate being used by WebSphere, in a JKS
file. Does the plug-in KDB file "trust" the self-signed issuer?
Extract from the WebSphere JKS, "add" in ikeyman gui to the Plugin KDB.
fabianc...@gmail.com
thanks for the info, but I am not very clear on some points.
1. I have created the KDB file and not using any jks file.
If you could tell me
1. What does this mean..Does the plug-in KDB file "trust" the self-signed issuer?
2. Extract from the WebSphere JKS, "add" in ikeyman gui to the Plugin KDB ( I am not using any JKS file)
It would be very kind if you can explain this to me. Resetting or reconfiguring the SSL is also fine by me. Therefore, I would request you to e-mail me the steps for the setting up the SSL for WAS 6.1.
I am able to access this:
http://servername
http://servername/snoop
https://servername
https://servername:9443/snoop
Unable to access https://servername/snoop
Thanks in advance
Regards
Fabian
Eric Covener
> Hi Eric,
> thanks for the info, but I am not very clear on some points.
>
> 1. I have created the KDB file and not using any jks file.
I'd think that if the Application Server has an SSL transport, it would
have a JKS file with at least 1 private key.
>
> If you could tell me
>
> 1. What does this mean..Does the plug-in KDB file "trust" the self-signed issuer?
The KDB has a section called "Signer Certs" that it trusts. If the
certificate on the backend appserver isn't signed by one of these known
issuers, it won't be accepted. Same as when a browser prompts you about
a self-signed cert.
> 2. Extract from the WebSphere JKS, "add" in ikeyman gui to the Plugin KDB ( I am not using any JKS file)
>
Does websphere provide an SSL certificate when you perform a handshake
directly? find where it's stored.
fabianc...@gmail.com
I have followed all the steps but the issue still persists. It would be of great help, if you could send me the steps to setup SSL.
Resetting or reconfiguring the SSL is also fine by me. It will be of great help if you could send me the steps for the setting up the SSL for WAS 6.1.
Thanks and Regards
Fabian