Topic
  • 25 replies
  • Latest Post - ‏2012-05-31T19:19:43Z by SystemAdmin
SystemAdmin
SystemAdmin
3908 Posts

Pinned topic IBM HTTP Server + WAS 6.1

‏2007-06-04T08:08:30Z |
Hi Guru's
I have installed IBM HTTP Server and WAS 6.1 on Linux system. I have also followed IBM docs to setup SSL. I am still unable to use https://servername/snoop. I have tried re-generating the Plugin file, but the plugin logs shows an error: r_gsk_secure_soc_init BAD_CERT.
Can anyone help me with this. You can send me any docs to recheck the SSL configuration.

Thanks
Fabian
Updated on 2012-05-31T19:19:43Z at 2012-05-31T19:19:43Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-04T11:38:30Z  
    Is it a gsk rc = 414?

    If so, this link may help.

    http://publib.boulder.ibm.com/infocenter/wasinfo/v4r0/index.jsp?topic=/com.ibm.sup%0D%0Aport.was40.doc/html/Plug_in/swg21215867.html

    Unfortunately, it is old (v4), and may be a little confusing. Anyone know of a better link for this? The issue has been discussed here in the past, you could do a search.
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-04T11:54:48Z  
    Is it a gsk rc = 414?

    If so, this link may help.

    http://publib.boulder.ibm.com/infocenter/wasinfo/v4r0/index.jsp?topic=/com.ibm.sup%0D%0Aport.was40.doc/html/Plug_in/swg21215867.html

    Unfortunately, it is old (v4), and may be a little confusing. Anyone know of a better link for this? The issue has been discussed here in the past, you could do a search.
    Thanks for the link.
    I have followed the steps given in the link, but no help. Also I would like to inform that I have followed the steps given in the Doc, Configuring IBM HTTP server for SSL, to enable SSL.
    Your inputs would be appreciated.

    Thanks
    Fabian
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-04T14:05:03Z  
    Can you verify the virtual host that snoop is using and then verify that
    port 443 has been defined to hosta aliases in the virtual host. If not then
    do so, regenerate the plug-in and restart everything.

    • Sunit

    <fabianchettiar@gmail.com> wrote in message
    news:1498611351.1180944541643.JavaMail.wassrvr@ltsgwas009.sby.ibm.com...
    > Hi Guru's
    > I have installed IBM HTTP Server and WAS 6.1 on Linux system. I have also
    > followed IBM docs to setup SSL. I am still unable to use
    > https://servername/snoop. I have tried re-generating the Plugin file, but
    > the plugin logs shows an error: r_gsk_secure_soc_init BAD_CERT.
    > Can anyone help me with this. You can send me any docs to recheck the SSL
    > configuration.
    >
    > Thanks
    > Fabian

  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-04T14:50:02Z  
    Can you verify the virtual host that snoop is using and then verify that
    port 443 has been defined to hosta aliases in the virtual host. If not then
    do so, regenerate the plug-in and restart everything.

    • Sunit

    <fabianchettiar@gmail.com> wrote in message
    news:1498611351.1180944541643.JavaMail.wassrvr@ltsgwas009.sby.ibm.com...
    > Hi Guru's
    > I have installed IBM HTTP Server and WAS 6.1 on Linux system. I have also
    > followed IBM docs to setup SSL. I am still unable to use
    > https://servername/snoop. I have tried re-generating the Plugin file, but
    > the plugin logs shows an error: r_gsk_secure_soc_init BAD_CERT.
    > Can anyone help me with this. You can send me any docs to recheck the SSL
    > configuration.
    >
    > Thanks
    > Fabian

    Hi Sunit,
    I am able to get
    http://servername/snoop
    http://servername:9080/snoop
    https://servername:9443/snoop

    But unable to get https://servername/snoop

    Port 443 is already defined in environment->virtualhosts->hostaliases.

    The httpd.conf file entries are listed below:

    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    Listen 443
    <VirtualHost *:443>
    Keyfile "/opt/IBM/HTTPServer/BM/serverkey.kdb"
    SSLEnable
    SSLClientAuth 0

    Also I have tried this:

    <IfModule mod_ibm_ssl.c>
    Listen 443
    <VirtualHost *:443>
    SSLEnable
    </VirtualHost>
    </IfModule>
    SSLDisable
    KeyFile "/opt/IBM/HTTPServer/serverkey.kdb"

    I have tried both the settings one at a time. But to no luck. I am also attaching the plugin log file for your reference.
    Updated on 2007-06-04T14:50:02Z at 2007-06-04T14:50:02Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-04T15:41:51Z  
    Hi Sunit,
    I am able to get
    http://servername/snoop
    http://servername:9080/snoop
    https://servername:9443/snoop

    But unable to get https://servername/snoop

    Port 443 is already defined in environment->virtualhosts->hostaliases.

    The httpd.conf file entries are listed below:

    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    Listen 443
    <VirtualHost *:443>
    Keyfile "/opt/IBM/HTTPServer/BM/serverkey.kdb"
    SSLEnable
    SSLClientAuth 0

    Also I have tried this:

    <IfModule mod_ibm_ssl.c>
    Listen 443
    <VirtualHost *:443>
    SSLEnable
    </VirtualHost>
    </IfModule>
    SSLDisable
    KeyFile "/opt/IBM/HTTPServer/serverkey.kdb"

    I have tried both the settings one at a time. But to no luck. I am also attaching the plugin log file for your reference.
    Are you able to connect to https://servername? For troubleshooting purposes,
    comment out the WAS plugin from httpd.conf and try connecting to the
    webserver alone with HTTPS. Once this works correctly, re-enable the WAS
    plug-in and restart IHS. See error_log for any errors.

    • Sunit

    <fabianchettiar@gmail.com> wrote in message
    news:1778597484.1180968632414.JavaMail.wassrvr@ltsgwas010.sby.ibm.com...
    > Hi Sunit,
    > I am able to get
    > http://servername/snoop
    > http://servername:9080/snoop
    > https://servername:9443/snoop
    >
    > But unable to get https://servername/snoop
    >
    > Port 443 is already defined in environment->virtualhosts->hostaliases.
    >
    > The httpd.conf file entries are listed below:
    >
    > LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    > Listen 443
    > <VirtualHost *:443>
    > Keyfile "/opt/IBM/HTTPServer/BM/serverkey.kdb"
    > SSLEnable
    > SSLClientAuth 0
    >
    > Also I have tried this:
    >
    > <IfModule mod_ibm_ssl.c>
    > Listen 443
    > <VirtualHost *:443>
    > SSLEnable
    > </VirtualHost>
    > </IfModule>
    > SSLDisable
    > KeyFile "/opt/IBM/HTTPServer/serverkey.kdb"
    >
    > I have tried both the settings one at a time. But to no luck. I am also
    > attaching the plugin log file for your reference.

  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-05T06:44:27Z  
    Are you able to connect to https://servername? For troubleshooting purposes,
    comment out the WAS plugin from httpd.conf and try connecting to the
    webserver alone with HTTPS. Once this works correctly, re-enable the WAS
    plug-in and restart IHS. See error_log for any errors.

    • Sunit

    <fabianchettiar@gmail.com> wrote in message
    news:1778597484.1180968632414.JavaMail.wassrvr@ltsgwas010.sby.ibm.com...
    > Hi Sunit,
    > I am able to get
    > http://servername/snoop
    > http://servername:9080/snoop
    > https://servername:9443/snoop
    >
    > But unable to get https://servername/snoop
    >
    > Port 443 is already defined in environment->virtualhosts->hostaliases.
    >
    > The httpd.conf file entries are listed below:
    >
    > LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    > Listen 443
    > <VirtualHost *:443>
    > Keyfile "/opt/IBM/HTTPServer/BM/serverkey.kdb"
    > SSLEnable
    > SSLClientAuth 0
    >
    > Also I have tried this:
    >
    > <IfModule mod_ibm_ssl.c>
    > Listen 443
    > <VirtualHost *:443>
    > SSLEnable
    > </VirtualHost>
    > </IfModule>
    > SSLDisable
    > KeyFile "/opt/IBM/HTTPServer/serverkey.kdb"
    >
    > I have tried both the settings one at a time. But to no luck. I am also
    > attaching the plugin log file for your reference.

    Hi Sunit,
    I am able to use https://servername without any issues. Also i have tried the suggestions given by you to comment out the Plugin file in httpd.conf file but no luck.
    Also checked the http_plugin.log still get the same (ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414)) error message.

    Also can anyone let me know is there is any support site from IBM where I can log a call for this and get inputs from them.

    Thanks for all the inputs.
    Fabian
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-05T13:32:20Z  
    Hi Sunit,
    I am able to use https://servername without any issues. Also i have tried the suggestions given by you to comment out the Plugin file in httpd.conf file but no luck.
    Also checked the http_plugin.log still get the same (ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414)) error message.

    Also can anyone let me know is there is any support site from IBM where I can log a call for this and get inputs from them.

    Thanks for all the inputs.
    Fabian
    fabianchettiar@gmail.com wrote:
    > Hi Sunit,
    > I am able to use https://servername without any issues. Also i have tried the suggestions given by you to comment out the Plugin file in httpd.conf file but no luck.
    > Also checked the http_plugin.log still get the same (ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414)) error message.
    >
    > Also can anyone let me know is there is any support site from IBM where I can log a call for this and get inputs from them.
    >
    > Thanks for all the inputs.
    > Fabian

    Depending on where you were in the handshake, either WAS can't validate
    the SSL certificate used by the plugin or the other way around.

    Check expiration and trust chain.
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-05T19:34:47Z  
    Hi Sunit,
    I am able to use https://servername without any issues. Also i have tried the suggestions given by you to comment out the Plugin file in httpd.conf file but no luck.
    Also checked the http_plugin.log still get the same (ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414)) error message.

    Also can anyone let me know is there is any support site from IBM where I can log a call for this and get inputs from them.

    Thanks for all the inputs.
    Fabian
    Make sure that the certificate used by WAS is in the kdb file used by plugin
    as a signer certificate. You will have to see the plugin config file to find
    the name of kdb file you are using. This happening because your
    configuration is using SSL between IHS and WAS. It is possible to use SSL
    only between browser and IHS.

    • Sunit

    <fabianchettiar@gmail.com> wrote in message
    news:1480048345.1181025908733.JavaMail.wassrvr@ltsgwas009.sby.ibm.com...
    > Hi Sunit,
    > I am able to use https://servername without any issues. Also i have tried
    > the suggestions given by you to comment out the Plugin file in httpd.conf
    > file but no luck.
    > Also checked the http_plugin.log still get the same (ERROR: lib_stream:
    > openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc =
    > 414)) error message.
    >
    > Also can anyone let me know is there is any support site from IBM where I
    > can log a call for this and get inputs from them.
    >
    > Thanks for all the inputs.
    > Fabian

  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-05T19:37:42Z  
    Hi Sunit,
    I am able to use https://servername without any issues. Also i have tried the suggestions given by you to comment out the Plugin file in httpd.conf file but no luck.
    Also checked the http_plugin.log still get the same (ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414)) error message.

    Also can anyone let me know is there is any support site from IBM where I can log a call for this and get inputs from them.

    Thanks for all the inputs.
    Fabian
    Fabian,

    Earlier, I pointed you to a link that fixes a similar problem. I had this happen last month with the same symtoms as yours and it fixed mine. That link was for V4 and was rather confusing. I have documented the steps I took below:

    fred

    The following error is generated if your WebSphere Application Server SSL
    certificate is not trusted by the WebSphere Application Server Plugin
    configured for the IBM HTTP Server:

    ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init:
    GSK_ERROR_BAD_CERT(gsk rc = 414)

    To fix this error:

    Extract the default Personal Certificate
    1. Login to the WebSphere Application Server Administrative Console
    2. Select Security > SSL certificate and key management > Key Stores and certificates
    3. Select NodeDefaultKeyStore for a stand-alone deployment or
    CellDefaultKeyStore for a network deployment.
    4. Click Personal Certificates, select the default check box, and then click Extract.
    5. Give the extracted file a path and name, such as: /root/defaultCert.ARM.
    Note: The convention is to give the file a .ARM extension.
    6. Leave encoding set to Base64.
    7. Click OK.

    Locate your *.kdb file
    1. In the httpd.conf file, find the directory in which the plugin-cfg.xml file is
    stored by searching for the WebSpherePluginConfig line. It should look something like this:
    WebSpherePluginConfig "/opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-cfg.xml"
    2. Find the directory in which the key database file (*.kdb) is stored by searching
    for the term "keyring" in the plugin-cfg.xml file. For example:
    <Property Name="keyring" Value="/opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb"/>
    Note this location as you will need to use it later.

    Add the extracted certificate to your key database file
    1. Go to the directory for ikeyman and start it:
    cd /opt/IBM/HTTPServer/bin
    ./ikeyman
    2. Click Key Database File > Open, and then select a key database type of CMS.
    3. Specify the filename and loacation you found above. For example: plugin-key.kdb and
    /opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb
    4. Click OK, and then enter the password. Note: If you have not given this file another password,
    the default password from WebSphere Application Server is WebAS (case sensitive).
    5. Click Personal Certificates drop down and then select Signer Certificates.
    6. Click Add.
    7. Browse to the file you exported with the extension *.ARM, Select it, then Open and click OK. Supply a name if prompted.
    8. Select Key Database File > Save As and save to the original location.
    9. Select Key Database File > Exit.
    10. Restart the IBM HTTP Server.

  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-10T05:55:28Z  
    fabianchettiar@gmail.com wrote:
    > Hi Sunit,
    > I am able to use https://servername without any issues. Also i have tried the suggestions given by you to comment out the Plugin file in httpd.conf file but no luck.
    > Also checked the http_plugin.log still get the same (ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414)) error message.
    >
    > Also can anyone let me know is there is any support site from IBM where I can log a call for this and get inputs from them.
    >
    > Thanks for all the inputs.
    > Fabian

    Depending on where you were in the handshake, either WAS can't validate
    the SSL certificate used by the plugin or the other way around.

    Check expiration and trust chain.
    Hi Eric,
    I have checked the expiry date of the SSL certificate and trust chain. I would like to recheck the trust chain, please let me know how to do that.

    Regards
    Fabian
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-10T06:14:00Z  
    Make sure that the certificate used by WAS is in the kdb file used by plugin
    as a signer certificate. You will have to see the plugin config file to find
    the name of kdb file you are using. This happening because your
    configuration is using SSL between IHS and WAS. It is possible to use SSL
    only between browser and IHS.

    • Sunit

    <fabianchettiar@gmail.com> wrote in message
    news:1480048345.1181025908733.JavaMail.wassrvr@ltsgwas009.sby.ibm.com...
    > Hi Sunit,
    > I am able to use https://servername without any issues. Also i have tried
    > the suggestions given by you to comment out the Plugin file in httpd.conf
    > file but no luck.
    > Also checked the http_plugin.log still get the same (ERROR: lib_stream:
    > openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc =
    > 414)) error message.
    >
    > Also can anyone let me know is there is any support site from IBM where I
    > can log a call for this and get inputs from them.
    >
    > Thanks for all the inputs.
    > Fabian

    Hi Sunit,
    I checked the kdb file used by the plugin file as a signer certificate. I have also checked the name of the kdb file but issue persists.

    Regards
    Fabian
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-10T06:17:45Z  
    Fabian,

    Earlier, I pointed you to a link that fixes a similar problem. I had this happen last month with the same symtoms as yours and it fixed mine. That link was for V4 and was rather confusing. I have documented the steps I took below:

    fred

    The following error is generated if your WebSphere Application Server SSL
    certificate is not trusted by the WebSphere Application Server Plugin
    configured for the IBM HTTP Server:

    ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init:
    GSK_ERROR_BAD_CERT(gsk rc = 414)

    To fix this error:

    Extract the default Personal Certificate
    1. Login to the WebSphere Application Server Administrative Console
    2. Select Security > SSL certificate and key management > Key Stores and certificates
    3. Select NodeDefaultKeyStore for a stand-alone deployment or
    CellDefaultKeyStore for a network deployment.
    4. Click Personal Certificates, select the default check box, and then click Extract.
    5. Give the extracted file a path and name, such as: /root/defaultCert.ARM.
    Note: The convention is to give the file a .ARM extension.
    6. Leave encoding set to Base64.
    7. Click OK.

    Locate your *.kdb file
    1. In the httpd.conf file, find the directory in which the plugin-cfg.xml file is
    stored by searching for the WebSpherePluginConfig line. It should look something like this:
    WebSpherePluginConfig "/opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-cfg.xml"
    2. Find the directory in which the key database file (*.kdb) is stored by searching
    for the term "keyring" in the plugin-cfg.xml file. For example:
    <Property Name="keyring" Value="/opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb"/>
    Note this location as you will need to use it later.

    Add the extracted certificate to your key database file
    1. Go to the directory for ikeyman and start it:
    cd /opt/IBM/HTTPServer/bin
    ./ikeyman
    2. Click Key Database File > Open, and then select a key database type of CMS.
    3. Specify the filename and loacation you found above. For example: plugin-key.kdb and
    /opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb
    4. Click OK, and then enter the password. Note: If you have not given this file another password,
    the default password from WebSphere Application Server is WebAS (case sensitive).
    5. Click Personal Certificates drop down and then select Signer Certificates.
    6. Click Add.
    7. Browse to the file you exported with the extension *.ARM, Select it, then Open and click OK. Supply a name if prompted.
    8. Select Key Database File > Save As and save to the original location.
    9. Select Key Database File > Exit.
    10. Restart the IBM HTTP Server.

    Hi Fred,
    I have tried all the steps given by you but the issue persists. Fred, I would like to know this step:

    Select Key Database File > Save As and save to the original location.

    At this point you would want me to save the file with the default name (key.kdb)and the default location. I have done this but issue persists.

    Regards
    Fabian
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-10T13:05:27Z  
    Hi Eric,
    I have checked the expiry date of the SSL certificate and trust chain. I would like to recheck the trust chain, please let me know how to do that.

    Regards
    Fabian
    fabianchettiar@gmail.com wrote:
    > Hi Eric,
    > I have checked the expiry date of the SSL certificate and trust chain. I would like to recheck the trust chain, please let me know how to do that.
    >
    > Regards
    > Fabian

    Every cert contains a subject and issuer. On top-level certificate
    authorities certificates, the subject and issuer are the same.

    You declare that you trust a given certificate authority by including it
    in your KDB 'signer certs'section and having the "trusted" box checked.

    Any other certificate your server comes in contact with must be able to
    trace back to a certificate authority that you already trust.
    Simplified, when you make a conncetion from the plugin to WAS, whoever
    issued/signed the WAS certificate must exist as a trusted cert authority
    in your plugin KDB file.

    The opposite may also be true, but usually the plugin does not provide a
    client certificate to WAS.
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-10T21:19:36Z  
    Hi Fred,
    I have tried all the steps given by you but the issue persists. Fred, I would like to know this step:

    Select Key Database File > Save As and save to the original location.

    At this point you would want me to save the file with the default name (key.kdb)and the default location. I have done this but issue persists.

    Regards
    Fabian
    >> Select Key Database File > Save As and save to the original location.

    That was confusing to me too. When I was preparing SSL, I used ikeyman as well, and created a key database using the default key.kdb and put it in the default /bin directory.

    Then, later, I encountered the problem you have and started following directions to work on the /opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb file instead of the one I made earlier. That was the one my plugin-cfg.xml file pointed me to.

    What I meant in that step was to save it back to the same name you opend it as: /opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb (ikeyman did not have a save, only a save as).
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-11T14:44:02Z  
    >> Select Key Database File > Save As and save to the original location.

    That was confusing to me too. When I was preparing SSL, I used ikeyman as well, and created a key database using the default key.kdb and put it in the default /bin directory.

    Then, later, I encountered the problem you have and started following directions to work on the /opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb file instead of the one I made earlier. That was the one my plugin-cfg.xml file pointed me to.

    What I meant in that step was to save it back to the same name you opend it as: /opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb (ikeyman did not have a save, only a save as).
    Hi Fred,
    I tried all the steps mentioned but the issue persists. Can you pls send me a link to configure/recheck SSL. Along if you need any other details then please let me know.

    Regards
    Fabian
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-11T14:54:43Z  
    Hi Fred,
    I tried all the steps mentioned but the issue persists. Can you pls send me a link to configure/recheck SSL. Along if you need any other details then please let me know.

    Regards
    Fabian
    http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.ihs.doc/info/ihs/ihs/tihs_setupssl.html
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-11T15:35:41Z  
    Hi Sunit,
    I checked the kdb file used by the plugin file as a signer certificate. I have also checked the name of the kdb file but issue persists.

    Regards
    Fabian
    ??? I checked the kdb file used by the plugin file as a signer certificate.

    Sunit

    <fabianchettiar@gmail.com> wrote in message
    news:1666892220.1181456070344.JavaMail.wassrvr@ltsgwas009.sby.ibm.com...
    > Hi Sunit,
    > I checked the kdb file used by the plugin file as a signer certificate. I
    > have also checked the name of the kdb file but issue persists.
    >
    > Regards
    > Fabian

  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-12T14:00:50Z  
    http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.ihs.doc/info/ihs/ihs/tihs_setupssl.html
    Hi Fred,
    I have followed the same steps but was getting the GSK_ERROR_BAD_CERT(gsk rc = 414) error message.
    Then I followed the steps given by you to resolve the error but issue persists.

    Any other inputs would be appreciated.

    Regards
    Fabian
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-13T13:29:16Z  
    Hi Fred,
    I have followed the same steps but was getting the GSK_ERROR_BAD_CERT(gsk rc = 414) error message.
    Then I followed the steps given by you to resolve the error but issue persists.

    Any other inputs would be appreciated.

    Regards
    Fabian
    I'm not sure why it is not working for you. One thing may be the software levels. You may have different requirements, but the system I am working on required fix pack 3:

    Fixpack 3:
    6.1.0.3: WebSphere Application Server V6.1.0 Fix Pack 3 for Linux
    http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24013772

    Files:
    6.1.0-WS-AppClient-LinuxX32-FP0000003.pak (not needed in my case)
    6.1.0-WS-IHS-LinuxX32-FP0000003.pak
    6.1.0-WS-PLG-LinuxX32-FP0000003.pak
    6.1.0-WS-WAS-LinuxX32-FP0000003.pak
    Update Installer:
    It is best to get the latest Update installer rather than using the launchpad to install the one shipped with WAS 6.1.

    Update Installer for WebSphere Application Server V6.1 releases
    http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24012718

    File: download.updii.6101.linux.ia32.zip

    Fixpack 3 readme:
    Readme for IBM WebSphere Application Server version 6.1.0.3
    http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27008686
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-07-01T09:11:18Z  
    I'm not sure why it is not working for you. One thing may be the software levels. You may have different requirements, but the system I am working on required fix pack 3:

    Fixpack 3:
    6.1.0.3: WebSphere Application Server V6.1.0 Fix Pack 3 for Linux
    http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24013772

    Files:
    6.1.0-WS-AppClient-LinuxX32-FP0000003.pak (not needed in my case)
    6.1.0-WS-IHS-LinuxX32-FP0000003.pak
    6.1.0-WS-PLG-LinuxX32-FP0000003.pak
    6.1.0-WS-WAS-LinuxX32-FP0000003.pak
    Update Installer:
    It is best to get the latest Update installer rather than using the launchpad to install the one shipped with WAS 6.1.

    Update Installer for WebSphere Application Server V6.1 releases
    http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24012718

    File: download.updii.6101.linux.ia32.zip

    Fixpack 3 readme:
    Readme for IBM WebSphere Application Server version 6.1.0.3
    http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27008686
    Hi Fred,
    I have tried all the suggestions given, also applied fix pack 9. I have tried to recheck and redo the settings, but get the same error message.
    Fred can you give me the steps to configure SSL, I would like to know if I have followed the right steps.

    Below are the steps that I have followed to configure SSL.
    1. Created a new KDB file using the ikeyman utility.
    2. Created a new Self-Signed certificate.
    3. Extracted the Cert.arm to a specific folder.
    4. Added the Cert.arm file
    5. Configured the httpd.conf file to enable SSL configuration and restarted the HTTP server.
    6. Configured the Environment settings (Virtual hosts) in WAS and restarted the WAS.

    Please confirm if the above mentioned steps are correct and enough and let me know if I am missing something.

    Thanks and regards
    Fabian
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-07-01T13:57:27Z  
    Hi Fred,
    I have tried all the suggestions given, also applied fix pack 9. I have tried to recheck and redo the settings, but get the same error message.
    Fred can you give me the steps to configure SSL, I would like to know if I have followed the right steps.

    Below are the steps that I have followed to configure SSL.
    1. Created a new KDB file using the ikeyman utility.
    2. Created a new Self-Signed certificate.
    3. Extracted the Cert.arm to a specific folder.
    4. Added the Cert.arm file
    5. Configured the httpd.conf file to enable SSL configuration and restarted the HTTP server.
    6. Configured the Environment settings (Virtual hosts) in WAS and restarted the WAS.

    Please confirm if the above mentioned steps are correct and enough and let me know if I am missing something.

    Thanks and regards
    Fabian
    fabianchettiar@gmail.com wrote:
    > Hi Fred,
    > I have tried all the suggestions given, also applied fix pack 9. I have tried to recheck and redo the settings, but get the same error message.
    > Fred can you give me the steps to configure SSL, I would like to know if I have followed the right steps.
    >
    > Below are the steps that I have followed to configure SSL.
    > 1. Created a new KDB file using the ikeyman utility.
    > 2. Created a new Self-Signed certificate.
    > 3. Extracted the Cert.arm to a specific folder.
    > 4. Added the Cert.arm file
    > 5. Configured the httpd.conf file to enable SSL configuration and restarted the HTTP server.
    > 6. Configured the Environment settings (Virtual hosts) in WAS and restarted the WAS.
    >
    > Please confirm if the above mentioned steps are correct and enough and let me know if I am missing something.

    You weren't very clear in the steps you performed.

    You have a self-signed certificate being used by WebSphere, in a JKS
    file. Does the plug-in KDB file "trust" the self-signed issuer?

    Extract from the WebSphere JKS, "add" in ikeyman gui to the Plugin KDB.
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-07-09T09:23:23Z  
    fabianchettiar@gmail.com wrote:
    > Hi Fred,
    > I have tried all the suggestions given, also applied fix pack 9. I have tried to recheck and redo the settings, but get the same error message.
    > Fred can you give me the steps to configure SSL, I would like to know if I have followed the right steps.
    >
    > Below are the steps that I have followed to configure SSL.
    > 1. Created a new KDB file using the ikeyman utility.
    > 2. Created a new Self-Signed certificate.
    > 3. Extracted the Cert.arm to a specific folder.
    > 4. Added the Cert.arm file
    > 5. Configured the httpd.conf file to enable SSL configuration and restarted the HTTP server.
    > 6. Configured the Environment settings (Virtual hosts) in WAS and restarted the WAS.
    >
    > Please confirm if the above mentioned steps are correct and enough and let me know if I am missing something.

    You weren't very clear in the steps you performed.

    You have a self-signed certificate being used by WebSphere, in a JKS
    file. Does the plug-in KDB file "trust" the self-signed issuer?

    Extract from the WebSphere JKS, "add" in ikeyman gui to the Plugin KDB.
    Hi Eric,
    thanks for the info, but I am not very clear on some points.

    1. I have created the KDB file and not using any jks file.

    If you could tell me

    1. What does this mean..Does the plug-in KDB file "trust" the self-signed issuer?
    2. Extract from the WebSphere JKS, "add" in ikeyman gui to the Plugin KDB ( I am not using any JKS file)

    It would be very kind if you can explain this to me. Resetting or reconfiguring the SSL is also fine by me. Therefore, I would request you to e-mail me the steps for the setting up the SSL for WAS 6.1.

    I am able to access this:

    http://servername
    http://servername/snoop
    https://servername
    https://servername:9443/snoop

    Unable to access https://servername/snoop

    Thanks in advance
    Regards
    Fabian
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-07-09T14:53:29Z  
    Hi Eric,
    thanks for the info, but I am not very clear on some points.

    1. I have created the KDB file and not using any jks file.

    If you could tell me

    1. What does this mean..Does the plug-in KDB file "trust" the self-signed issuer?
    2. Extract from the WebSphere JKS, "add" in ikeyman gui to the Plugin KDB ( I am not using any JKS file)

    It would be very kind if you can explain this to me. Resetting or reconfiguring the SSL is also fine by me. Therefore, I would request you to e-mail me the steps for the setting up the SSL for WAS 6.1.

    I am able to access this:

    http://servername
    http://servername/snoop
    https://servername
    https://servername:9443/snoop

    Unable to access https://servername/snoop

    Thanks in advance
    Regards
    Fabian
    fabianchettiar@gmail.com wrote:
    > Hi Eric,
    > thanks for the info, but I am not very clear on some points.
    >
    > 1. I have created the KDB file and not using any jks file.

    I'd think that if the Application Server has an SSL transport, it would
    have a JKS file with at least 1 private key.

    >
    > If you could tell me
    >
    > 1. What does this mean..Does the plug-in KDB file "trust" the self-signed issuer?
    The KDB has a section called "Signer Certs" that it trusts. If the
    certificate on the backend appserver isn't signed by one of these known
    issuers, it won't be accepted. Same as when a browser prompts you about
    a self-signed cert.

    > 2. Extract from the WebSphere JKS, "add" in ikeyman gui to the Plugin KDB ( I am not using any JKS file)
    >

    Does websphere provide an SSL certificate when you perform a handshake
    directly? find where it's stored.

    > It would be very kind if you can explain this to me. Resetting or reconfiguring the SSL is also fine by me. Therefore, I would request you to e-mail me the steps for the setting up the SSL for WAS 6.1.
    >
    > I am able to access this:
    >
    > http://servername
    > http://servername/snoop
    > https://servername
    > https://servername:9443/snoop
    >
    > Unable to access https://servername/snoop
    >
    > Thanks in advance
    > Regards
    > Fabian
  • SystemAdmin
    SystemAdmin
    3908 Posts

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-07-21T07:21:14Z  
    fabianchettiar@gmail.com wrote:
    > Hi Eric,
    > thanks for the info, but I am not very clear on some points.
    >
    > 1. I have created the KDB file and not using any jks file.

    I'd think that if the Application Server has an SSL transport, it would
    have a JKS file with at least 1 private key.

    >
    > If you could tell me
    >
    > 1. What does this mean..Does the plug-in KDB file "trust" the self-signed issuer?
    The KDB has a section called "Signer Certs" that it trusts. If the
    certificate on the backend appserver isn't signed by one of these known
    issuers, it won't be accepted. Same as when a browser prompts you about
    a self-signed cert.

    > 2. Extract from the WebSphere JKS, "add" in ikeyman gui to the Plugin KDB ( I am not using any JKS file)
    >

    Does websphere provide an SSL certificate when you perform a handshake
    directly? find where it's stored.

    > It would be very kind if you can explain this to me. Resetting or reconfiguring the SSL is also fine by me. Therefore, I would request you to e-mail me the steps for the setting up the SSL for WAS 6.1.
    >
    > I am able to access this:
    >
    > http://servername
    > http://servername/snoop
    > https://servername
    > https://servername:9443/snoop
    >
    > Unable to access https://servername/snoop
    >
    > Thanks in advance
    > Regards
    > Fabian
    Hi Eric,
    I have followed all the steps but the issue still persists. It would be of great help, if you could send me the steps to setup SSL.
    Resetting or reconfiguring the SSL is also fine by me. It will be of great help if you could send me the steps for the setting up the SSL for WAS 6.1.

    Thanks and Regards
    Fabian