Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SSL: IHS + WAS

468 views
Skip to first unread message

tomic...@yahoo.com

unread,
Jan 24, 2007, 3:39:58 AM1/24/07
to
I'm looking for documentation which explains what should be done to enable SSL on both IBM HTTP Server 6.1 and WebSphere 6.1, but I can't find one. I'm using client certificate authentication, so turning off SSL between IHS and WAS is not an option. I have installed the same certificate on both IHS and WAS, but SSL comunication still fails.

Sunit Patke

unread,
Jan 24, 2007, 9:18:24 AM1/24/07
to
See WAS InfoCenter on how to enable SSL between WAS and IHS (plug-in).
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tihs_localsetup.html

Sunit

<tomic...@yahoo.com> wrote in message
news:919535123.1169628029...@ltsgwas009.sby.ibm.com...

John Smith

unread,
Jan 24, 2007, 9:55:29 AM1/24/07
to

> See WAS InfoCenter on how to enable SSL between WAS and IHS (plug-in).
> http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tihs_localsetup.html

I did that and now I got this error in IHS/WAS plugin:

[Wed Jan 24 15:41:32 2007] 0000112c 000004c0 - ERROR: lib_stream:
openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_MESSAGE(gsk rc =
410)
[Wed Jan 24 15:41:32 2007] 0000112c 000004c0 - ERROR: ws_common:
websphereGetStream: Could not open stream
[Wed Jan 24 15:41:32 2007] 0000112c 000004c0 - ERROR: ws_common:
websphereExecute: Failed to create the stream
[Wed Jan 24 15:41:32 2007] 0000112c 000004c0 - ERROR: ws_common:
websphereHandleRequest: Failed to execute the transaction to
'bernvsrvNode01_server1'on host 'bernvsrv'; will try another one
[Wed Jan 24 15:41:32 2007] 0000112c 000004c0 - ERROR: ws_common:
websphereWriteRequestReadResponse: Failed to find an app server to handle
this request
[Wed Jan 24 15:41:32 2007] 0000112c 000004c0 - ERROR: ESI: getResponse:
failed to get response: rc = 2
[Wed Jan 24 15:41:32 2007] 0000112c 000004c0 - ERROR: ws_common:
websphereHandleRequest: Failed to handle request

and this in my web server (IHS) access.log:

10.9.72.251 - - [24/Jan/2007:15:49:56 +0100] "GET /snoop HTTP/1.1" 500 651

and there is no errors or any informations about this request in WAS logs.

Thank you for your help.


Sunit Patke

unread,
Jan 24, 2007, 10:21:43 AM1/24/07
to
Which port is being used for communication between IHS and WAS? (This will
be the web containers HTTP listener ports and should have SSL enabled). Are
there any non-secure ports the webapp is listening on? The certificate being
used by WAS web container will have a public key. This public key should be
in the keystore used by plug-in as a signer certificate.

Sunit

"John Smith" <john....@microsoft.com> wrote in message
news:ep7s13$1eo6k$1...@news.boulder.ibm.com...

Eric Covener

unread,
Jan 24, 2007, 10:36:57 AM1/24/07
to
John Smith wrote:
>> See WAS InfoCenter on how to enable SSL between WAS and IHS (plug-in).
>> http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tihs_localsetup.html
>
> I did that and now I got this error in IHS/WAS plugin:
>
> [Wed Jan 24 15:41:32 2007] 0000112c 000004c0 - ERROR: lib_stream:
> openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_MESSAGE(gsk rc =
> 410)


Probably plugin trying to talk SSL to a non-SSL port on the
ApplicationServer

John Smith

unread,
Jan 24, 2007, 10:38:12 AM1/24/07
to

> Which port is being used for communication between IHS and WAS? (This will
> be the web containers HTTP listener ports and should have SSL enabled).
> Are there any non-secure ports the webapp is listening on? The certificate
> being used by WAS web container will have a public key. This public key
> should be in the keystore used by plug-in as a signer certificate.

IHS listens 443 port. My app under WAS works under 9443 port. I am not sure
which port IHS and WAS use to communicate, but I expect IHS to forward HTTPS
requests from 443 port to 9443 port.

I have this configuration:

Browser<->HTTPS<->IHS<->HTTPS<->WAS

I require client certificate authentication on both IHS and WAS. I have
imported WAS certificate into plugin and plugin's certificate into WAS key
store.

Do I need to ser ProxyPass in httpd.conf? Something like this:

LoadModule was_ap20_module
"C:\IBM\HTTPServer\Plugins\bin\mod_was_ap20_http.dll"
WebSpherePluginConfig
"C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-cfg.xml"
<VirtualHost 0.0.0.0:443>
SSLEnable
SSLServerCert selfSigned
SSLClientAuth 2
KeyFile "C:/IBM/HTTPServer/webserver1.kdb"
SSLProxyEngine on
ProxyPass /snoop https://193.77.98.85:9443/snoop
ProxyPassReverse /snoop https://193.77.98.85:9443/snoop
</VirtualHost>
SSLDisable

I have tried above code, but still the same "Internal Server Error" :(

Thank you.


Sunit Patke

unread,
Jan 24, 2007, 10:42:17 AM1/24/07
to
Are there any ports other that 9443 defined as listener ports for the web
container? If yes, remove them or mark them as SSL enabled and regenerate
the plug-in config.

Sunit

"John Smith" <john....@microsoft.com> wrote in message

news:ep7uh6$s056$1...@news.boulder.ibm.com...

Eric Covener

unread,
Jan 24, 2007, 1:24:06 PM1/24/07
to
John Smith wrote:
>> Which port is being used for communication between IHS and WAS? (This will
>> be the web containers HTTP listener ports and should have SSL enabled).
>> Are there any non-secure ports the webapp is listening on? The certificate
>> being used by WAS web container will have a public key. This public key
>> should be in the keystore used by plug-in as a signer certificate.
>
> IHS listens 443 port. My app under WAS works under 9443 port. I am not sure
> which port IHS and WAS use to communicate, but I expect IHS to forward HTTPS
> requests from 443 port to 9443 port.
>
> I have this configuration:
>
> Browser<->HTTPS<->IHS<->HTTPS<->WAS
>
> I require client certificate authentication on both IHS and WAS. I have
> imported WAS certificate into plugin and plugin's certificate into WAS key
> store.
>
> Do I need to ser ProxyPass in httpd.conf? Something like this:

ProxyPass performs a similiar function to the plug-in -- you don't want
to use IHS mod_proxy on the same set of URLs as you expect the plug-in
to handle.

What does an IP trace between IHS and WAS say is going on? The GSKit
error quoted earlier implies something that wasn't valid SSL was read
when the plugin tried to communicate using SSL.

John Smith

unread,
Jan 24, 2007, 10:58:34 AM1/24/07
to

>> Are there any ports other that 9443 defined as listener ports for the web
>> container? If yes, remove them or mark them as SSL enabled and regenerate
>> the plug-in config.

And those are mine Listen directives from httpd.conf, which shows that my
web server is not listening any other ports except 80 and 443:

Listen 0.0.0.0:443
Listen 0.0.0.0:80


Sunit Patke

unread,
Jan 24, 2007, 1:50:38 PM1/24/07
to
[Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - ERROR: lib_stream:
openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_IO (gsk rc = 406)

I am guessing that you have not imported the public-key correctly.

Sunit

"John Smith" <john....@microsoft.com> wrote in message

news:ep7uru$1gs30$1...@news.boulder.ibm.com...


>
>> Probably plugin trying to talk SSL to a non-SSL port on the
>> ApplicationServer
>

> I disagree. Below are last lines from plugin log. Pay attention to the
> line "lib_stream: openStream: Stream is SSL" and it seems that correct
> 9443 port was used.
>
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - TRACE: ws_common:
> websphereFindTransport: Finding the transport
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - DETAIL: ws_common:
> websphereFindTransport: Setting the transport(case 1):
> bernardvsrv.adriatic.snt.eu on port 9443
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - TRACE: ws_common:
> websphereExecute: Executing the transaction with the app server
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - DEBUG: ws_common:
> websphereGetStream: Getting the stream to the app server
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - TRACE: ws_transport:
> transportStreamDequeue: Checking for existing stream from the queue
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - DEBUG: ws_common:
> websphereGetStream: socket 10712 connected to
> bernardvsrv.adriatic.snt.eu:9443
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - DEBUG: lib_stream:
> openStream: Opening the stream
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - DEBUG: lib_stream:
> openStream: Stream is SSL
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - ERROR: lib_stream:
> openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_IO(gsk rc = 406)
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - DEBUG: lib_stream:
> destroyStream: Destroying the stream
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - ERROR: ws_common:

> websphereGetStream: Could not open stream

> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - TRACE: ws_common:
> websphereGetStream: socket 10712 closed - failed to open stream
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - ERROR: ws_common:

> websphereExecute: Failed to create the stream

> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - DEBUG: ws_server:
> serverSetFailoverStatus: Request to mark bernardvsrvNode01_server1 down
> ignored.
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - STATS: ws_server:
> serverSetFailoverStatus: Server bernardvsrvNode01_server1 :
> pendingRequests 0 failedRequests 7 affinityRequests 0 totalRequests 0.
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - ERROR: ws_common:

> websphereHandleRequest: Failed to execute the transaction to

> 'bernardvsrvNode01_server1'on host 'bernardvsrv.adriatic.snt.eu'; will try
> another one
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - ERROR: ws_common:

> websphereWriteRequestReadResponse: Failed to find an app server to handle
> this request

> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - ERROR: ESI: getResponse:

> failed to get response: rc = 2

> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - TRACE: ESI:
> esiHandleRequest: failed to get response
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - TRACE: ESI:
> esiRequestUrlStackDestroy
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - DETAIL: ESI:
> esiRequestPopUrl: '/snoop/'
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - TRACE: ESI: esiUrlDestroy:
> '/snoop/'
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - ERROR: ws_common:

> websphereHandleRequest: Failed to handle request

> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - TRACE: ws_common:
> websphereCloseConnection
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - DETAIL: ws_common:
> websphereEndRequest: Ending the request
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - TRACE: mod_was_ap20_http:
> as_handler: set env WAS "bernardvsrv.adriatic.snt.e:9443"
> [Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - TRACE: mod_was_ap20_http:
> in as_logger
>
>


Sunit Patke

unread,
Jan 24, 2007, 1:52:09 PM1/24/07
to
These are from virtual_host setting in WAS. There is another setting for
HTTP transport for the web application. My guess is that 9080, 9443, 5060
and 5061 are defined as listener ports there and at least 9443 is SSL
enabled.

Sunit

"John Smith" <john....@microsoft.com> wrote in message

news:ep7vbf$1fk1s$1...@news.boulder.ibm.com...


>
>> Are there any ports other that 9443 defined as listener ports for the web
>> container? If yes, remove them or mark them as SSL enabled and regenerate
>> the plug-in config.
>

> I belive, you were referencing plugin's configuration XML file
> (plugin-cfg.xml)? Those are VHosts I have there:
>
> <VirtualHostGroup Name="default_host">
> <VirtualHost Name="*:9080"/>
> <VirtualHost Name="*:80"/>
> <VirtualHost Name="*:9443"/>
> <VirtualHost Name="*:5060"/>
> <VirtualHost Name="*:5061"/>
> <VirtualHost Name="*:443"/>
> </VirtualHostGroup>
>
>


John Smith

unread,
Jan 24, 2007, 10:52:13 AM1/24/07
to

> Are there any ports other that 9443 defined as listener ports for the web
> container? If yes, remove them or mark them as SSL enabled and regenerate
> the plug-in config.

I belive, you were referencing plugin's configuration XML file

John Smith

unread,
Jan 24, 2007, 10:43:55 AM1/24/07
to

> Probably plugin trying to talk SSL to a non-SSL port on the
> ApplicationServer

I disagree. Below are last lines from plugin log. Pay attention to the line

[Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - ERROR: ws_common:

websphereGetStream: Could not open stream

[Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - TRACE: ws_common:
websphereGetStream: socket 10712 closed - failed to open stream

[Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - ERROR: ws_common:

websphereExecute: Failed to create the stream

[Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - DEBUG: ws_server:
serverSetFailoverStatus: Request to mark bernardvsrvNode01_server1 down
ignored.
[Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - STATS: ws_server:
serverSetFailoverStatus: Server bernardvsrvNode01_server1 : pendingRequests
0 failedRequests 7 affinityRequests 0 totalRequests 0.

[Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - ERROR: ws_common:

websphereHandleRequest: Failed to execute the transaction to

'bernardvsrvNode01_server1'on host 'bernardvsrv.adriatic.snt.eu'; will try
another one
[Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - ERROR: ws_common:

websphereWriteRequestReadResponse: Failed to find an app server to handle
this request

[Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - ERROR: ESI: getResponse:

failed to get response: rc = 2

[Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - TRACE: ESI: esiHandleRequest:
failed to get response
[Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - TRACE: ESI:
esiRequestUrlStackDestroy
[Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - DETAIL: ESI:
esiRequestPopUrl: '/snoop/'
[Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - TRACE: ESI: esiUrlDestroy:
'/snoop/'

[Wed Jan 24 16:30:42 2007] 00000f24 00000d1c - ERROR: ws_common:

websphereHandleRequest: Failed to handle request

Sunit Patke

unread,
Jan 25, 2007, 10:26:26 AM1/25/07
to
I am saying this because the ikeyman refers to the required actions as
"Extract" certificate under Personal Certificates and "Add" certificate
under Signer Certificates.

Sunit

"Sunit Patke" <sup...@nospam.com> wrote in message
news:ep89pu$1o034$1...@news.boulder.ibm.com...

bern...@gmail.com

unread,
Feb 15, 2007, 10:43:22 AM2/15/07
to
I'm a co-worker of Milan and we've done this (ssl between WAS and IHS). It does not help. snoop works just fine (u/p...) and plug-in trace looks just like the Security Handbook.

But when you try to access our CLIENT_CERT J2EE web app. via IHS there is no response. To be more exact the app. respond only on uri-s where atuhentication isn't required. If we go to 9443 the app works like a charm.

Any ideas, anyone?

PS
I've had a similar discussion on the WAS forum about this and it didn't resove the issue.

Sunit Patke

unread,
Feb 16, 2007, 9:30:01 AM2/16/07
to
Please post your plugin-cfg.xml file

Sunit

<bern...@gmail.com> wrote in message
news:447046343.1171554233...@ltsgwas010.sby.ibm.com...

bern...@gmail.com

unread,
Feb 19, 2007, 9:33:44 AM2/19/07
to
Here is the plugin config file. We've also tried commenting the line with port 9080 (<Transport Hostname="si-eai-zpiz" Port="9080" Protocol="http" />) and it didn't make any difference.

thanks, br, Bernard Velkaverh

bern...@gmail.com

unread,
Feb 19, 2007, 9:51:12 AM2/19/07
to
An idea of my own regarding plugin-cfg: should we add our app's uri (/m4m8/*) to UriGroup element?

This is not specified in the security handbook, but it appears to make sense.

bern...@gmail.com

unread,
Feb 19, 2007, 10:17:43 AM2/19/07
to
And a fine idea it was. Now it's working!

As I said, UriGroup isn't mentioned in the WAS Security handbook, I guess it should be.

PS
Perhaps some other app might work without adding anything to UriGroup. There is an element with "*.jsp" pattern. But we use JSF with "*.faces" (since RAD 7.0) like uri's and it just doesnt fit any of the existing entries.

Sunit Patke

unread,
Feb 20, 2007, 9:15:54 AM2/20/07
to
Did you generate the plugin-cfg.xml from WAS adminconsole or manually create
it?

Sunit

<bern...@gmail.com> wrote in message
news:374294696.1171896703...@ltsgwas009.sby.ibm.com...

bern...@gmail.com

unread,
Feb 20, 2007, 10:26:36 AM2/20/07
to
I generated it (after installing may app). Then I had to manually edit UriGroup and add my uri element. I guess the server should be smart enough to adjust UriGroup automatically during generation.

m...@scrobinson.com

unread,
Jan 22, 2008, 7:30:03 AM1/22/08
to
When you re-generate a plugin, you must remember that you might need to propogate the plugin. Depends on your design however. If IHS is on a node that does not contain the dmgr and you have your plugin location similar to:<br />
<br />
Section found in http.conf<br />
<br />
#Production Plugin settings<br />
LoadModule was_ap20_module /apps/was/IBMIHS/Plugins/bin/mod_was_ap20_http.so<br />
WebSpherePluginConfig /apps/was/ws6/inst01/profiles/server01/config/cells/nodes/server01/servers/ihs01/plugin-cfg.xml<br />
<br />
Then you have to ensure that the plugin is propogated to the node by the deployment manager. When the dmgr generates it locates the plugin in the dmgr folders, not the nodes. Mis-understanding this can often lead to a belief that the plugin is not working. <br />
<br />
Remeber to also propogate if you are using ND. Saying that Application Server can also have a problem if you are using WAS 6 as WAS 6.1 does all the work for you. Was 6 is more manual and prone to use error. Was 6.1 was re-designed to make this simpler, but can often hide how it works.<br />
<br />
Regards<br />
<br />
Steven Robinson - WebSphere Tips<br />
<a href="www.webspheretips.com">http://www.webspheretips.com</a>

joe.m...@rbc.com

unread,
Nov 13, 2008, 1:58:54 PM11/13/08
to
If you are getting internal server error and the plugin logs show the gsk error. Chances are that your cells default certificates have expired and you need to replaced them with new one. Make sure that you replaced in the cell and then also you add the signer certs to the plugin-kdb file.

I hope this helps.

0 new messages