Topic
  • 22 replies
  • Latest Post - ‏2008-11-13T18:58:54Z by wasero
SystemAdmin
SystemAdmin
3903 Posts

Pinned topic SSL: IHS + WAS

‏2007-01-24T08:39:58Z |
I'm looking for documentation which explains what should be done to enable SSL on both IBM HTTP Server 6.1 and WebSphere 6.1, but I can't find one. I'm using client certificate authentication, so turning off SSL between IHS and WAS is not an option. I have installed the same certificate on both IHS and WAS, but SSL comunication still fails.
Updated on 2008-11-13T18:58:54Z at 2008-11-13T18:58:54Z by wasero
  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-01-24T14:18:24Z  
    See WAS InfoCenter on how to enable SSL between WAS and IHS (plug-in).
    http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tihs_localsetup.html

    Sunit

    <tomicmilan@yahoo.com> wrote in message
    news:919535123.1169628029230.JavaMail.wassrvr@ltsgwas009.sby.ibm.com...
    > I'm looking for documentation which explains what should be done to enable
    > SSL on both IBM HTTP Server 6.1 and WebSphere 6.1, but I can't find one.
    > I'm using client certificate authentication, so turning off SSL between
    > IHS and WAS is not an option. I have installed the same certificate on
    > both IHS and WAS, but SSL comunication still fails.

  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-01-24T14:55:29Z  
    See WAS InfoCenter on how to enable SSL between WAS and IHS (plug-in).
    http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tihs_localsetup.html

    Sunit

    <tomicmilan@yahoo.com> wrote in message
    news:919535123.1169628029230.JavaMail.wassrvr@ltsgwas009.sby.ibm.com...
    > I'm looking for documentation which explains what should be done to enable
    > SSL on both IBM HTTP Server 6.1 and WebSphere 6.1, but I can't find one.
    > I'm using client certificate authentication, so turning off SSL between
    > IHS and WAS is not an option. I have installed the same certificate on
    > both IHS and WAS, but SSL comunication still fails.


    > See WAS InfoCenter on how to enable SSL between WAS and IHS (plug-in).
    > http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tihs_localsetup.html

    I did that and now I got this error in IHS/WAS plugin:

    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: lib_stream:
    openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_MESSAGE(gsk rc =
    410)
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    websphereGetStream: Could not open stream
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    websphereExecute: Failed to create the stream
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    websphereHandleRequest: Failed to execute the transaction to
    'bernvsrvNode01_server1'on host 'bernvsrv'; will try another one
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    websphereWriteRequestReadResponse: Failed to find an app server to handle
    this request
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ESI: getResponse:
    failed to get response: rc = 2
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    websphereHandleRequest: Failed to handle request

    and this in my web server (IHS) access.log:

    10.9.72.251 - - 24/Jan/2007:15:49:56 +0100 "GET /snoop HTTP/1.1" 500 651

    and there is no errors or any informations about this request in WAS logs.

    Thank you for your help.

  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-01-24T15:21:43Z  

    > See WAS InfoCenter on how to enable SSL between WAS and IHS (plug-in).
    > http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tihs_localsetup.html

    I did that and now I got this error in IHS/WAS plugin:

    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: lib_stream:
    openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_MESSAGE(gsk rc =
    410)
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    websphereGetStream: Could not open stream
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    websphereExecute: Failed to create the stream
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    websphereHandleRequest: Failed to execute the transaction to
    'bernvsrvNode01_server1'on host 'bernvsrv'; will try another one
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    websphereWriteRequestReadResponse: Failed to find an app server to handle
    this request
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ESI: getResponse:
    failed to get response: rc = 2
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    websphereHandleRequest: Failed to handle request

    and this in my web server (IHS) access.log:

    10.9.72.251 - - 24/Jan/2007:15:49:56 +0100 "GET /snoop HTTP/1.1" 500 651

    and there is no errors or any informations about this request in WAS logs.

    Thank you for your help.

    Which port is being used for communication between IHS and WAS? (This will
    be the web containers HTTP listener ports and should have SSL enabled). Are
    there any non-secure ports the webapp is listening on? The certificate being
    used by WAS web container will have a public key. This public key should be
    in the keystore used by plug-in as a signer certificate.

    Sunit

    "John Smith" <john.smith@microsoft.com> wrote in message
    news:ep7s13$1eo6k$1@news.boulder.ibm.com...
    >
    >> See WAS InfoCenter on how to enable SSL between WAS and IHS (plug-in).
    >> http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tihs_localsetup.html
    >
    > I did that and now I got this error in IHS/WAS plugin:
    >
    > Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: lib_stream:
    > openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_MESSAGE(gsk rc
    > = 410)
    > Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    > websphereGetStream: Could not open stream
    > Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    > websphereExecute: Failed to create the stream
    > Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    > websphereHandleRequest: Failed to execute the transaction to
    > 'bernvsrvNode01_server1'on host 'bernvsrv'; will try another one
    > Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    > websphereWriteRequestReadResponse: Failed to find an app server to handle
    > this request
    > Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ESI: getResponse:
    > failed to get response: rc = 2
    > Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    > websphereHandleRequest: Failed to handle request
    >
    > and this in my web server (IHS) access.log:
    >
    > 10.9.72.251 - - 24/Jan/2007:15:49:56 +0100 "GET /snoop HTTP/1.1" 500 651
    >
    > and there is no errors or any informations about this request in WAS logs.
    >
    > Thank you for your help.
    >

  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-01-24T15:36:57Z  

    > See WAS InfoCenter on how to enable SSL between WAS and IHS (plug-in).
    > http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tihs_localsetup.html

    I did that and now I got this error in IHS/WAS plugin:

    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: lib_stream:
    openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_MESSAGE(gsk rc =
    410)
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    websphereGetStream: Could not open stream
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    websphereExecute: Failed to create the stream
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    websphereHandleRequest: Failed to execute the transaction to
    'bernvsrvNode01_server1'on host 'bernvsrv'; will try another one
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    websphereWriteRequestReadResponse: Failed to find an app server to handle
    this request
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ESI: getResponse:
    failed to get response: rc = 2
    Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    websphereHandleRequest: Failed to handle request

    and this in my web server (IHS) access.log:

    10.9.72.251 - - 24/Jan/2007:15:49:56 +0100 "GET /snoop HTTP/1.1" 500 651

    and there is no errors or any informations about this request in WAS logs.

    Thank you for your help.

    John Smith wrote:
    >> See WAS InfoCenter on how to enable SSL between WAS and IHS (plug-in).
    >> http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tihs_localsetup.html
    >
    > I did that and now I got this error in IHS/WAS plugin:
    >
    > Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: lib_stream:
    > openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_MESSAGE(gsk rc =
    > 410)
    Probably plugin trying to talk SSL to a non-SSL port on the
    ApplicationServer
  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-01-24T15:38:12Z  
    Which port is being used for communication between IHS and WAS? (This will
    be the web containers HTTP listener ports and should have SSL enabled). Are
    there any non-secure ports the webapp is listening on? The certificate being
    used by WAS web container will have a public key. This public key should be
    in the keystore used by plug-in as a signer certificate.

    Sunit

    "John Smith" <john.smith@microsoft.com> wrote in message
    news:ep7s13$1eo6k$1@news.boulder.ibm.com...
    >
    >> See WAS InfoCenter on how to enable SSL between WAS and IHS (plug-in).
    >> http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tihs_localsetup.html
    >
    > I did that and now I got this error in IHS/WAS plugin:
    >
    > Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: lib_stream:
    > openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_MESSAGE(gsk rc
    > = 410)
    > Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    > websphereGetStream: Could not open stream
    > Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    > websphereExecute: Failed to create the stream
    > Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    > websphereHandleRequest: Failed to execute the transaction to
    > 'bernvsrvNode01_server1'on host 'bernvsrv'; will try another one
    > Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    > websphereWriteRequestReadResponse: Failed to find an app server to handle
    > this request
    > Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ESI: getResponse:
    > failed to get response: rc = 2
    > Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: ws_common:
    > websphereHandleRequest: Failed to handle request
    >
    > and this in my web server (IHS) access.log:
    >
    > 10.9.72.251 - - 24/Jan/2007:15:49:56 +0100 "GET /snoop HTTP/1.1" 500 651
    >
    > and there is no errors or any informations about this request in WAS logs.
    >
    > Thank you for your help.
    >


    > Which port is being used for communication between IHS and WAS? (This will
    > be the web containers HTTP listener ports and should have SSL enabled).
    > Are there any non-secure ports the webapp is listening on? The certificate
    > being used by WAS web container will have a public key. This public key
    > should be in the keystore used by plug-in as a signer certificate.

    IHS listens 443 port. My app under WAS works under 9443 port. I am not sure
    which port IHS and WAS use to communicate, but I expect IHS to forward HTTPS
    requests from 443 port to 9443 port.

    I have this configuration:

    Browser<->HTTPS<->IHS<->HTTPS<->WAS

    I require client certificate authentication on both IHS and WAS. I have
    imported WAS certificate into plugin and plugin's certificate into WAS key
    store.

    Do I need to ser ProxyPass in httpd.conf? Something like this:

    LoadModule was_ap20_module
    "C:\IBM\HTTPServer\Plugins\bin\mod_was_ap20_http.dll"
    WebSpherePluginConfig
    "C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-cfg.xml"
    <VirtualHost 0.0.0.0:443>
    SSLEnable
    SSLServerCert selfSigned
    SSLClientAuth 2
    KeyFile "C:/IBM/HTTPServer/webserver1.kdb"
    SSLProxyEngine on
    ProxyPass /snoop https://193.77.98.85:9443/snoop
    ProxyPassReverse /snoop https://193.77.98.85:9443/snoop
    </VirtualHost>
    SSLDisable

    I have tried above code, but still the same "Internal Server Error" :(

    Thank you.

  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-01-24T15:42:17Z  

    > Which port is being used for communication between IHS and WAS? (This will
    > be the web containers HTTP listener ports and should have SSL enabled).
    > Are there any non-secure ports the webapp is listening on? The certificate
    > being used by WAS web container will have a public key. This public key
    > should be in the keystore used by plug-in as a signer certificate.

    IHS listens 443 port. My app under WAS works under 9443 port. I am not sure
    which port IHS and WAS use to communicate, but I expect IHS to forward HTTPS
    requests from 443 port to 9443 port.

    I have this configuration:

    Browser<->HTTPS<->IHS<->HTTPS<->WAS

    I require client certificate authentication on both IHS and WAS. I have
    imported WAS certificate into plugin and plugin's certificate into WAS key
    store.

    Do I need to ser ProxyPass in httpd.conf? Something like this:

    LoadModule was_ap20_module
    "C:\IBM\HTTPServer\Plugins\bin\mod_was_ap20_http.dll"
    WebSpherePluginConfig
    "C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-cfg.xml"
    <VirtualHost 0.0.0.0:443>
    SSLEnable
    SSLServerCert selfSigned
    SSLClientAuth 2
    KeyFile "C:/IBM/HTTPServer/webserver1.kdb"
    SSLProxyEngine on
    ProxyPass /snoop https://193.77.98.85:9443/snoop
    ProxyPassReverse /snoop https://193.77.98.85:9443/snoop
    </VirtualHost>
    SSLDisable

    I have tried above code, but still the same "Internal Server Error" :(

    Thank you.

    Are there any ports other that 9443 defined as listener ports for the web
    container? If yes, remove them or mark them as SSL enabled and regenerate
    the plug-in config.

    Sunit

    "John Smith" <john.smith@microsoft.com> wrote in message
    news:ep7uh6$s056$1@news.boulder.ibm.com...
    >
    >> Which port is being used for communication between IHS and WAS? (This
    >> will
    >> be the web containers HTTP listener ports and should have SSL enabled).
    >> Are there any non-secure ports the webapp is listening on? The
    >> certificate being used by WAS web container will have a public key. This
    >> public key should be in the keystore used by plug-in as a signer
    >> certificate.
    >
    > IHS listens 443 port. My app under WAS works under 9443 port. I am not
    > sure which port IHS and WAS use to communicate, but I expect IHS to
    > forward HTTPS requests from 443 port to 9443 port.
    >
    > I have this configuration:
    >
    > Browser<->HTTPS<->IHS<->HTTPS<->WAS
    >
    > I require client certificate authentication on both IHS and WAS. I have
    > imported WAS certificate into plugin and plugin's certificate into WAS key
    > store.
    >
    > Do I need to ser ProxyPass in httpd.conf? Something like this:
    >
    > LoadModule was_ap20_module
    > "C:\IBM\HTTPServer\Plugins\bin\mod_was_ap20_http.dll"
    > WebSpherePluginConfig
    > "C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-cfg.xml"
    > <VirtualHost 0.0.0.0:443>
    > SSLEnable
    > SSLServerCert selfSigned
    > SSLClientAuth 2
    > KeyFile "C:/IBM/HTTPServer/webserver1.kdb"
    > SSLProxyEngine on
    > ProxyPass /snoop https://193.77.98.85:9443/snoop
    > ProxyPassReverse /snoop https://193.77.98.85:9443/snoop
    > </VirtualHost>
    > SSLDisable
    >
    > I have tried above code, but still the same "Internal Server Error" :(
    >
    > Thank you.
    >

  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-01-24T15:43:55Z  
    John Smith wrote:
    >> See WAS InfoCenter on how to enable SSL between WAS and IHS (plug-in).
    >> http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tihs_localsetup.html
    >
    > I did that and now I got this error in IHS/WAS plugin:
    >
    > Wed Jan 24 15:41:32 2007 0000112c 000004c0 - ERROR: lib_stream:
    > openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_MESSAGE(gsk rc =
    > 410)
    Probably plugin trying to talk SSL to a non-SSL port on the
    ApplicationServer

    > Probably plugin trying to talk SSL to a non-SSL port on the
    > ApplicationServer

    I disagree. Below are last lines from plugin log. Pay attention to the line
    "lib_stream: openStream: Stream is SSL" and it seems that correct 9443 port
    was used.

    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    websphereFindTransport: Finding the transport
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DETAIL: ws_common:
    websphereFindTransport: Setting the transport(case 1):
    bernardvsrv.adriatic.snt.eu on port 9443
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    websphereExecute: Executing the transaction with the app server
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: ws_common:
    websphereGetStream: Getting the stream to the app server
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_transport:
    transportStreamDequeue: Checking for existing stream from the queue
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: ws_common:
    websphereGetStream: socket 10712 connected to
    bernardvsrv.adriatic.snt.eu:9443
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: lib_stream:
    openStream: Opening the stream
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: lib_stream:
    openStream: Stream is SSL
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: lib_stream:
    openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_IO(gsk rc = 406)
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: lib_stream:
    destroyStream: Destroying the stream
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    websphereGetStream: Could not open stream
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    websphereGetStream: socket 10712 closed - failed to open stream
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    websphereExecute: Failed to create the stream
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: ws_server:
    serverSetFailoverStatus: Request to mark bernardvsrvNode01_server1 down
    ignored.
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - STATS: ws_server:
    serverSetFailoverStatus: Server bernardvsrvNode01_server1 : pendingRequests
    0 failedRequests 7 affinityRequests 0 totalRequests 0.
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    websphereHandleRequest: Failed to execute the transaction to
    'bernardvsrvNode01_server1'on host 'bernardvsrv.adriatic.snt.eu'; will try
    another one
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    websphereWriteRequestReadResponse: Failed to find an app server to handle
    this request
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ESI: getResponse:
    failed to get response: rc = 2
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ESI: esiHandleRequest:
    failed to get response
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ESI:
    esiRequestUrlStackDestroy
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DETAIL: ESI:
    esiRequestPopUrl: '/snoop/'
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ESI: esiUrlDestroy:
    '/snoop/'
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    websphereHandleRequest: Failed to handle request
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    websphereCloseConnection
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DETAIL: ws_common:
    websphereEndRequest: Ending the request
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: mod_was_ap20_http:
    as_handler: set env WAS "bernardvsrv.adriatic.snt.e:9443"
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: mod_was_ap20_http: in
    as_logger

  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-01-24T15:52:13Z  
    Are there any ports other that 9443 defined as listener ports for the web
    container? If yes, remove them or mark them as SSL enabled and regenerate
    the plug-in config.

    Sunit

    "John Smith" <john.smith@microsoft.com> wrote in message
    news:ep7uh6$s056$1@news.boulder.ibm.com...
    >
    >> Which port is being used for communication between IHS and WAS? (This
    >> will
    >> be the web containers HTTP listener ports and should have SSL enabled).
    >> Are there any non-secure ports the webapp is listening on? The
    >> certificate being used by WAS web container will have a public key. This
    >> public key should be in the keystore used by plug-in as a signer
    >> certificate.
    >
    > IHS listens 443 port. My app under WAS works under 9443 port. I am not
    > sure which port IHS and WAS use to communicate, but I expect IHS to
    > forward HTTPS requests from 443 port to 9443 port.
    >
    > I have this configuration:
    >
    > Browser<->HTTPS<->IHS<->HTTPS<->WAS
    >
    > I require client certificate authentication on both IHS and WAS. I have
    > imported WAS certificate into plugin and plugin's certificate into WAS key
    > store.
    >
    > Do I need to ser ProxyPass in httpd.conf? Something like this:
    >
    > LoadModule was_ap20_module
    > "C:\IBM\HTTPServer\Plugins\bin\mod_was_ap20_http.dll"
    > WebSpherePluginConfig
    > "C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-cfg.xml"
    > <VirtualHost 0.0.0.0:443>
    > SSLEnable
    > SSLServerCert selfSigned
    > SSLClientAuth 2
    > KeyFile "C:/IBM/HTTPServer/webserver1.kdb"
    > SSLProxyEngine on
    > ProxyPass /snoop https://193.77.98.85:9443/snoop
    > ProxyPassReverse /snoop https://193.77.98.85:9443/snoop
    > </VirtualHost>
    > SSLDisable
    >
    > I have tried above code, but still the same "Internal Server Error" :(
    >
    > Thank you.
    >


    > Are there any ports other that 9443 defined as listener ports for the web
    > container? If yes, remove them or mark them as SSL enabled and regenerate
    > the plug-in config.

    I belive, you were referencing plugin's configuration XML file
    (plugin-cfg.xml)? Those are VHosts I have there:

    <VirtualHostGroup Name="default_host">
    <VirtualHost Name="*:9080"/>
    <VirtualHost Name="*:80"/>
    <VirtualHost Name="*:9443"/>
    <VirtualHost Name="*:5060"/>
    <VirtualHost Name="*:5061"/>
    <VirtualHost Name="*:443"/>
    </VirtualHostGroup>

  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-01-24T15:58:34Z  

    > Are there any ports other that 9443 defined as listener ports for the web
    > container? If yes, remove them or mark them as SSL enabled and regenerate
    > the plug-in config.

    I belive, you were referencing plugin's configuration XML file
    (plugin-cfg.xml)? Those are VHosts I have there:

    <VirtualHostGroup Name="default_host">
    <VirtualHost Name="*:9080"/>
    <VirtualHost Name="*:80"/>
    <VirtualHost Name="*:9443"/>
    <VirtualHost Name="*:5060"/>
    <VirtualHost Name="*:5061"/>
    <VirtualHost Name="*:443"/>
    </VirtualHostGroup>


    >> Are there any ports other that 9443 defined as listener ports for the web
    >> container? If yes, remove them or mark them as SSL enabled and regenerate
    >> the plug-in config.

    And those are mine Listen directives from httpd.conf, which shows that my
    web server is not listening any other ports except 80 and 443:

    Listen 0.0.0.0:443
    Listen 0.0.0.0:80

  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-01-24T18:24:06Z  

    > Which port is being used for communication between IHS and WAS? (This will
    > be the web containers HTTP listener ports and should have SSL enabled).
    > Are there any non-secure ports the webapp is listening on? The certificate
    > being used by WAS web container will have a public key. This public key
    > should be in the keystore used by plug-in as a signer certificate.

    IHS listens 443 port. My app under WAS works under 9443 port. I am not sure
    which port IHS and WAS use to communicate, but I expect IHS to forward HTTPS
    requests from 443 port to 9443 port.

    I have this configuration:

    Browser<->HTTPS<->IHS<->HTTPS<->WAS

    I require client certificate authentication on both IHS and WAS. I have
    imported WAS certificate into plugin and plugin's certificate into WAS key
    store.

    Do I need to ser ProxyPass in httpd.conf? Something like this:

    LoadModule was_ap20_module
    "C:\IBM\HTTPServer\Plugins\bin\mod_was_ap20_http.dll"
    WebSpherePluginConfig
    "C:\IBM\HTTPServer\Plugins\config\webserver1\plugin-cfg.xml"
    <VirtualHost 0.0.0.0:443>
    SSLEnable
    SSLServerCert selfSigned
    SSLClientAuth 2
    KeyFile "C:/IBM/HTTPServer/webserver1.kdb"
    SSLProxyEngine on
    ProxyPass /snoop https://193.77.98.85:9443/snoop
    ProxyPassReverse /snoop https://193.77.98.85:9443/snoop
    </VirtualHost>
    SSLDisable

    I have tried above code, but still the same "Internal Server Error" :(

    Thank you.

    John Smith wrote:
    >> Which port is being used for communication between IHS and WAS? (This will
    >> be the web containers HTTP listener ports and should have SSL enabled).
    >> Are there any non-secure ports the webapp is listening on? The certificate
    >> being used by WAS web container will have a public key. This public key
    >> should be in the keystore used by plug-in as a signer certificate.
    >
    > IHS listens 443 port. My app under WAS works under 9443 port. I am not sure
    > which port IHS and WAS use to communicate, but I expect IHS to forward HTTPS
    > requests from 443 port to 9443 port.
    >
    > I have this configuration:
    >
    > Browser<->HTTPS<->IHS<->HTTPS<->WAS
    >
    > I require client certificate authentication on both IHS and WAS. I have
    > imported WAS certificate into plugin and plugin's certificate into WAS key
    > store.
    >
    > Do I need to ser ProxyPass in httpd.conf? Something like this:

    ProxyPass performs a similiar function to the plug-in -- you don't want
    to use IHS mod_proxy on the same set of URLs as you expect the plug-in
    to handle.

    What does an IP trace between IHS and WAS say is going on? The GSKit
    error quoted earlier implies something that wasn't valid SSL was read
    when the plugin tried to communicate using SSL.
  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-01-24T18:50:38Z  

    > Probably plugin trying to talk SSL to a non-SSL port on the
    > ApplicationServer

    I disagree. Below are last lines from plugin log. Pay attention to the line
    "lib_stream: openStream: Stream is SSL" and it seems that correct 9443 port
    was used.

    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    websphereFindTransport: Finding the transport
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DETAIL: ws_common:
    websphereFindTransport: Setting the transport(case 1):
    bernardvsrv.adriatic.snt.eu on port 9443
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    websphereExecute: Executing the transaction with the app server
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: ws_common:
    websphereGetStream: Getting the stream to the app server
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_transport:
    transportStreamDequeue: Checking for existing stream from the queue
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: ws_common:
    websphereGetStream: socket 10712 connected to
    bernardvsrv.adriatic.snt.eu:9443
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: lib_stream:
    openStream: Opening the stream
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: lib_stream:
    openStream: Stream is SSL
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: lib_stream:
    openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_IO(gsk rc = 406)
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: lib_stream:
    destroyStream: Destroying the stream
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    websphereGetStream: Could not open stream
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    websphereGetStream: socket 10712 closed - failed to open stream
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    websphereExecute: Failed to create the stream
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: ws_server:
    serverSetFailoverStatus: Request to mark bernardvsrvNode01_server1 down
    ignored.
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - STATS: ws_server:
    serverSetFailoverStatus: Server bernardvsrvNode01_server1 : pendingRequests
    0 failedRequests 7 affinityRequests 0 totalRequests 0.
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    websphereHandleRequest: Failed to execute the transaction to
    'bernardvsrvNode01_server1'on host 'bernardvsrv.adriatic.snt.eu'; will try
    another one
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    websphereWriteRequestReadResponse: Failed to find an app server to handle
    this request
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ESI: getResponse:
    failed to get response: rc = 2
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ESI: esiHandleRequest:
    failed to get response
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ESI:
    esiRequestUrlStackDestroy
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DETAIL: ESI:
    esiRequestPopUrl: '/snoop/'
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ESI: esiUrlDestroy:
    '/snoop/'
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    websphereHandleRequest: Failed to handle request
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    websphereCloseConnection
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DETAIL: ws_common:
    websphereEndRequest: Ending the request
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: mod_was_ap20_http:
    as_handler: set env WAS "bernardvsrv.adriatic.snt.e:9443"
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: mod_was_ap20_http: in
    as_logger

    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: lib_stream:
    openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_IO (gsk rc = 406)

    I am guessing that you have not imported the public-key correctly.

    Sunit

    "John Smith" <john.smith@microsoft.com> wrote in message
    news:ep7uru$1gs30$1@news.boulder.ibm.com...
    >
    >> Probably plugin trying to talk SSL to a non-SSL port on the
    >> ApplicationServer
    >
    > I disagree. Below are last lines from plugin log. Pay attention to the
    > line "lib_stream: openStream: Stream is SSL" and it seems that correct
    > 9443 port was used.
    >
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    > websphereFindTransport: Finding the transport
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DETAIL: ws_common:
    > websphereFindTransport: Setting the transport(case 1):
    > bernardvsrv.adriatic.snt.eu on port 9443
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    > websphereExecute: Executing the transaction with the app server
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: ws_common:
    > websphereGetStream: Getting the stream to the app server
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_transport:
    > transportStreamDequeue: Checking for existing stream from the queue
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: ws_common:
    > websphereGetStream: socket 10712 connected to
    > bernardvsrv.adriatic.snt.eu:9443
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: lib_stream:
    > openStream: Opening the stream
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: lib_stream:
    > openStream: Stream is SSL
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: lib_stream:
    > openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_IO(gsk rc = 406)
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: lib_stream:
    > destroyStream: Destroying the stream
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    > websphereGetStream: Could not open stream
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    > websphereGetStream: socket 10712 closed - failed to open stream
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    > websphereExecute: Failed to create the stream
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: ws_server:
    > serverSetFailoverStatus: Request to mark bernardvsrvNode01_server1 down
    > ignored.
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - STATS: ws_server:
    > serverSetFailoverStatus: Server bernardvsrvNode01_server1 :
    > pendingRequests 0 failedRequests 7 affinityRequests 0 totalRequests 0.
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    > websphereHandleRequest: Failed to execute the transaction to
    > 'bernardvsrvNode01_server1'on host 'bernardvsrv.adriatic.snt.eu'; will try
    > another one
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    > websphereWriteRequestReadResponse: Failed to find an app server to handle
    > this request
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ESI: getResponse:
    > failed to get response: rc = 2
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ESI:
    > esiHandleRequest: failed to get response
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ESI:
    > esiRequestUrlStackDestroy
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DETAIL: ESI:
    > esiRequestPopUrl: '/snoop/'
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ESI: esiUrlDestroy:
    > '/snoop/'
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    > websphereHandleRequest: Failed to handle request
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    > websphereCloseConnection
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DETAIL: ws_common:
    > websphereEndRequest: Ending the request
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: mod_was_ap20_http:
    > as_handler: set env WAS "bernardvsrv.adriatic.snt.e:9443"
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: mod_was_ap20_http:
    > in as_logger
    >
    >

  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-01-24T18:52:09Z  

    > Are there any ports other that 9443 defined as listener ports for the web
    > container? If yes, remove them or mark them as SSL enabled and regenerate
    > the plug-in config.

    I belive, you were referencing plugin's configuration XML file
    (plugin-cfg.xml)? Those are VHosts I have there:

    <VirtualHostGroup Name="default_host">
    <VirtualHost Name="*:9080"/>
    <VirtualHost Name="*:80"/>
    <VirtualHost Name="*:9443"/>
    <VirtualHost Name="*:5060"/>
    <VirtualHost Name="*:5061"/>
    <VirtualHost Name="*:443"/>
    </VirtualHostGroup>

    These are from virtual_host setting in WAS. There is another setting for
    HTTP transport for the web application. My guess is that 9080, 9443, 5060
    and 5061 are defined as listener ports there and at least 9443 is SSL
    enabled.

    Sunit

    "John Smith" <john.smith@microsoft.com> wrote in message
    news:ep7vbf$1fk1s$1@news.boulder.ibm.com...
    >
    >> Are there any ports other that 9443 defined as listener ports for the web
    >> container? If yes, remove them or mark them as SSL enabled and regenerate
    >> the plug-in config.
    >
    > I belive, you were referencing plugin's configuration XML file
    > (plugin-cfg.xml)? Those are VHosts I have there:
    >
    > <VirtualHostGroup Name="default_host">
    > <VirtualHost Name="*:9080"/>
    > <VirtualHost Name="*:80"/>
    > <VirtualHost Name="*:9443"/>
    > <VirtualHost Name="*:5060"/>
    > <VirtualHost Name="*:5061"/>
    > <VirtualHost Name="*:443"/>
    > </VirtualHostGroup>
    >
    >

  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-01-25T15:26:26Z  
    Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: lib_stream:
    openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_IO (gsk rc = 406)

    I am guessing that you have not imported the public-key correctly.

    Sunit

    "John Smith" <john.smith@microsoft.com> wrote in message
    news:ep7uru$1gs30$1@news.boulder.ibm.com...
    >
    >> Probably plugin trying to talk SSL to a non-SSL port on the
    >> ApplicationServer
    >
    > I disagree. Below are last lines from plugin log. Pay attention to the
    > line "lib_stream: openStream: Stream is SSL" and it seems that correct
    > 9443 port was used.
    >
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    > websphereFindTransport: Finding the transport
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DETAIL: ws_common:
    > websphereFindTransport: Setting the transport(case 1):
    > bernardvsrv.adriatic.snt.eu on port 9443
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    > websphereExecute: Executing the transaction with the app server
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: ws_common:
    > websphereGetStream: Getting the stream to the app server
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_transport:
    > transportStreamDequeue: Checking for existing stream from the queue
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: ws_common:
    > websphereGetStream: socket 10712 connected to
    > bernardvsrv.adriatic.snt.eu:9443
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: lib_stream:
    > openStream: Opening the stream
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: lib_stream:
    > openStream: Stream is SSL
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: lib_stream:
    > openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_IO(gsk rc = 406)
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: lib_stream:
    > destroyStream: Destroying the stream
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    > websphereGetStream: Could not open stream
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    > websphereGetStream: socket 10712 closed - failed to open stream
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    > websphereExecute: Failed to create the stream
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: ws_server:
    > serverSetFailoverStatus: Request to mark bernardvsrvNode01_server1 down
    > ignored.
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - STATS: ws_server:
    > serverSetFailoverStatus: Server bernardvsrvNode01_server1 :
    > pendingRequests 0 failedRequests 7 affinityRequests 0 totalRequests 0.
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    > websphereHandleRequest: Failed to execute the transaction to
    > 'bernardvsrvNode01_server1'on host 'bernardvsrv.adriatic.snt.eu'; will try
    > another one
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    > websphereWriteRequestReadResponse: Failed to find an app server to handle
    > this request
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ESI: getResponse:
    > failed to get response: rc = 2
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ESI:
    > esiHandleRequest: failed to get response
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ESI:
    > esiRequestUrlStackDestroy
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DETAIL: ESI:
    > esiRequestPopUrl: '/snoop/'
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ESI: esiUrlDestroy:
    > '/snoop/'
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    > websphereHandleRequest: Failed to handle request
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    > websphereCloseConnection
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DETAIL: ws_common:
    > websphereEndRequest: Ending the request
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: mod_was_ap20_http:
    > as_handler: set env WAS "bernardvsrv.adriatic.snt.e:9443"
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: mod_was_ap20_http:
    > in as_logger
    >
    >

    I am saying this because the ikeyman refers to the required actions as
    "Extract" certificate under Personal Certificates and "Add" certificate
    under Signer Certificates.

    Sunit

    "Sunit Patke" <supatke@nospam.com> wrote in message
    news:ep89pu$1o034$1@news.boulder.ibm.com...
    > Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: lib_stream:
    > openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_IO (gsk rc = 406)
    >
    > I am guessing that you have not imported the public-key correctly.
    >
    > Sunit
    >
    > "John Smith" <john.smith@microsoft.com> wrote in message
    > news:ep7uru$1gs30$1@news.boulder.ibm.com...
    >>
    >>> Probably plugin trying to talk SSL to a non-SSL port on the
    >>> ApplicationServer
    >>
    >> I disagree. Below are last lines from plugin log. Pay attention to the
    >> line "lib_stream: openStream: Stream is SSL" and it seems that correct
    >> 9443 port was used.
    >>
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    >> websphereFindTransport: Finding the transport
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DETAIL: ws_common:
    >> websphereFindTransport: Setting the transport(case 1):
    >> bernardvsrv.adriatic.snt.eu on port 9443
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    >> websphereExecute: Executing the transaction with the app server
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: ws_common:
    >> websphereGetStream: Getting the stream to the app server
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_transport:
    >> transportStreamDequeue: Checking for existing stream from the queue
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: ws_common:
    >> websphereGetStream: socket 10712 connected to
    >> bernardvsrv.adriatic.snt.eu:9443
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: lib_stream:
    >> openStream: Opening the stream
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: lib_stream:
    >> openStream: Stream is SSL
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: lib_stream:
    >> openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_IO(gsk rc = 406)
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: lib_stream:
    >> destroyStream: Destroying the stream
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    >> websphereGetStream: Could not open stream
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    >> websphereGetStream: socket 10712 closed - failed to open stream
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    >> websphereExecute: Failed to create the stream
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DEBUG: ws_server:
    >> serverSetFailoverStatus: Request to mark bernardvsrvNode01_server1 down
    >> ignored.
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - STATS: ws_server:
    >> serverSetFailoverStatus: Server bernardvsrvNode01_server1 :
    >> pendingRequests 0 failedRequests 7 affinityRequests 0 totalRequests 0.
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    >> websphereHandleRequest: Failed to execute the transaction to
    >> 'bernardvsrvNode01_server1'on host 'bernardvsrv.adriatic.snt.eu'; will
    >> try another one
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    >> websphereWriteRequestReadResponse: Failed to find an app server to handle
    >> this request
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ESI: getResponse:
    >> failed to get response: rc = 2
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ESI:
    >> esiHandleRequest: failed to get response
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ESI:
    >> esiRequestUrlStackDestroy
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DETAIL: ESI:
    >> esiRequestPopUrl: '/snoop/'
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ESI: esiUrlDestroy:
    >> '/snoop/'
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - ERROR: ws_common:
    >> websphereHandleRequest: Failed to handle request
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: ws_common:
    >> websphereCloseConnection
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - DETAIL: ws_common:
    >> websphereEndRequest: Ending the request
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: mod_was_ap20_http:
    >> as_handler: set env WAS "bernardvsrv.adriatic.snt.e:9443"
    >> Wed Jan 24 16:30:42 2007 00000f24 00000d1c - TRACE: mod_was_ap20_http:
    >> in as_logger
    >>
    >>
    >
    >

  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-02-15T15:43:22Z  
    See WAS InfoCenter on how to enable SSL between WAS and IHS (plug-in).
    http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tihs_localsetup.html

    Sunit

    <tomicmilan@yahoo.com> wrote in message
    news:919535123.1169628029230.JavaMail.wassrvr@ltsgwas009.sby.ibm.com...
    > I'm looking for documentation which explains what should be done to enable
    > SSL on both IBM HTTP Server 6.1 and WebSphere 6.1, but I can't find one.
    > I'm using client certificate authentication, so turning off SSL between
    > IHS and WAS is not an option. I have installed the same certificate on
    > both IHS and WAS, but SSL comunication still fails.

    I'm a co-worker of Milan and we've done this (ssl between WAS and IHS). It does not help. snoop works just fine (u/p...) and plug-in trace looks just like the Security Handbook.

    But when you try to access our CLIENT_CERT J2EE web app. via IHS there is no response. To be more exact the app. respond only on uri-s where atuhentication isn't required. If we go to 9443 the app works like a charm.

    Any ideas, anyone?

    PS
    I've had a similar discussion on the WAS forum about this and it didn't resove the issue.
  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-02-16T14:30:01Z  
    I'm a co-worker of Milan and we've done this (ssl between WAS and IHS). It does not help. snoop works just fine (u/p...) and plug-in trace looks just like the Security Handbook.

    But when you try to access our CLIENT_CERT J2EE web app. via IHS there is no response. To be more exact the app. respond only on uri-s where atuhentication isn't required. If we go to 9443 the app works like a charm.

    Any ideas, anyone?

    PS
    I've had a similar discussion on the WAS forum about this and it didn't resove the issue.
    Please post your plugin-cfg.xml file

    Sunit

    <bernardv@gmail.com> wrote in message
    news:447046343.1171554233070.JavaMail.wassrvr@ltsgwas010.sby.ibm.com...
    > I'm a co-worker of Milan and we've done this (ssl between WAS and IHS). It
    > does not help. snoop works just fine (u/p...) and plug-in trace looks just
    > like the Security Handbook.
    >
    > But when you try to access our CLIENT_CERT J2EE web app. via IHS there is
    > no response. To be more exact the app. respond only on uri-s where
    > atuhentication isn't required. If we go to 9443 the app works like a
    > charm.
    >
    > Any ideas, anyone?
    >
    > PS
    > I've had a similar discussion on the WAS forum about this and it didn't
    > resove the issue.

  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-02-19T14:33:45Z  
    Please post your plugin-cfg.xml file

    Sunit

    <bernardv@gmail.com> wrote in message
    news:447046343.1171554233070.JavaMail.wassrvr@ltsgwas010.sby.ibm.com...
    > I'm a co-worker of Milan and we've done this (ssl between WAS and IHS). It
    > does not help. snoop works just fine (u/p...) and plug-in trace looks just
    > like the Security Handbook.
    >
    > But when you try to access our CLIENT_CERT J2EE web app. via IHS there is
    > no response. To be more exact the app. respond only on uri-s where
    > atuhentication isn't required. If we go to 9443 the app works like a
    > charm.
    >
    > Any ideas, anyone?
    >
    > PS
    > I've had a similar discussion on the WAS forum about this and it didn't
    > resove the issue.

    Here is the plugin config file. We've also tried commenting the line with port 9080 (<Transport Hostname="si-eai-zpiz" Port="9080" Protocol="http" />) and it didn't make any difference.

    thanks, br, Bernard Velkaverh
    Updated on 2007-02-19T14:33:45Z at 2007-02-19T14:33:45Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-02-19T14:51:12Z  
    Please post your plugin-cfg.xml file

    Sunit

    <bernardv@gmail.com> wrote in message
    news:447046343.1171554233070.JavaMail.wassrvr@ltsgwas010.sby.ibm.com...
    > I'm a co-worker of Milan and we've done this (ssl between WAS and IHS). It
    > does not help. snoop works just fine (u/p...) and plug-in trace looks just
    > like the Security Handbook.
    >
    > But when you try to access our CLIENT_CERT J2EE web app. via IHS there is
    > no response. To be more exact the app. respond only on uri-s where
    > atuhentication isn't required. If we go to 9443 the app works like a
    > charm.
    >
    > Any ideas, anyone?
    >
    > PS
    > I've had a similar discussion on the WAS forum about this and it didn't
    > resove the issue.

    An idea of my own regarding plugin-cfg: should we add our app's uri (/m4m8/*) to UriGroup element?

    This is not specified in the security handbook, but it appears to make sense.
  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-02-19T15:17:43Z  
    An idea of my own regarding plugin-cfg: should we add our app's uri (/m4m8/*) to UriGroup element?

    This is not specified in the security handbook, but it appears to make sense.
    And a fine idea it was. Now it's working!

    As I said, UriGroup isn't mentioned in the WAS Security handbook, I guess it should be.

    PS
    Perhaps some other app might work without adding anything to UriGroup. There is an element with ".jsp" pattern. But we use JSF with ".faces" (since RAD 7.0) like uri's and it just doesnt fit any of the existing entries.
  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-02-20T14:15:54Z  
    An idea of my own regarding plugin-cfg: should we add our app's uri (/m4m8/*) to UriGroup element?

    This is not specified in the security handbook, but it appears to make sense.
    Did you generate the plugin-cfg.xml from WAS adminconsole or manually create
    it?

    Sunit

    <bernardv@gmail.com> wrote in message
    news:374294696.1171896703274.JavaMail.wassrvr@ltsgwas009.sby.ibm.com...
    > An idea of my own regarding plugin-cfg: should we add our app's uri
    > (/m4m8/*) to UriGroup element?
    >
    > This is not specified in the security handbook, but it appears to make
    > sense.

  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: IHS + WAS

    ‏2007-02-20T15:26:36Z  
    Did you generate the plugin-cfg.xml from WAS adminconsole or manually create
    it?

    Sunit

    <bernardv@gmail.com> wrote in message
    news:374294696.1171896703274.JavaMail.wassrvr@ltsgwas009.sby.ibm.com...
    > An idea of my own regarding plugin-cfg: should we add our app's uri
    > (/m4m8/*) to UriGroup element?
    >
    > This is not specified in the security handbook, but it appears to make
    > sense.

    I generated it (after installing may app). Then I had to manually edit UriGroup and add my uri element. I guess the server should be smart enough to adjust UriGroup automatically during generation.
  • Steven Charles Robinson
    3 Posts

    Re: IHS + WAS

    ‏2008-01-22T12:30:03Z  
    I generated it (after installing may app). Then I had to manually edit UriGroup and add my uri element. I guess the server should be smart enough to adjust UriGroup automatically during generation.
    When you re-generate a plugin, you must remember that you might need to propogate the plugin. Depends on your design however. If IHS is on a node that does not contain the dmgr and you have your plugin location similar to:

    Section found in http.conf

    #Production Plugin settings
    LoadModule was_ap20_module /apps/was/IBMIHS/Plugins/bin/mod_was_ap20_http.so
    WebSpherePluginConfig /apps/was/ws6/inst01/profiles/server01/config/cells/nodes/server01/servers/ihs01/plugin-cfg.xml

    Then you have to ensure that the plugin is propogated to the node by the deployment manager. When the dmgr generates it locates the plugin in the dmgr folders, not the nodes. Mis-understanding this can often lead to a belief that the plugin is not working.

    Remeber to also propogate if you are using ND. Saying that Application Server can also have a problem if you are using WAS 6 as WAS 6.1 does all the work for you. Was 6 is more manual and prone to use error. Was 6.1 was re-designed to make this simpler, but can often hide how it works.

    Regards

    Steven Robinson - WebSphere Tips
    http://www.webspheretips.com
  • wasero
    wasero
    9 Posts

    Re: IHS + WAS

    ‏2008-11-13T18:58:54Z  
    I'm a co-worker of Milan and we've done this (ssl between WAS and IHS). It does not help. snoop works just fine (u/p...) and plug-in trace looks just like the Security Handbook.

    But when you try to access our CLIENT_CERT J2EE web app. via IHS there is no response. To be more exact the app. respond only on uri-s where atuhentication isn't required. If we go to 9443 the app works like a charm.

    Any ideas, anyone?

    PS
    I've had a similar discussion on the WAS forum about this and it didn't resove the issue.
    If you are getting internal server error and the plugin logs show the gsk error. Chances are that your cells default certificates have expired and you need to replaced them with new one. Make sure that you replaced in the cell and then also you add the signer certs to the plugin-kdb file.

    I hope this helps.