Topic
25 replies Latest Post - ‏2012-05-31T19:19:43Z by SystemAdmin
SystemAdmin
SystemAdmin
3908 Posts
ACCEPTED ANSWER

Pinned topic IBM HTTP Server + WAS 6.1

‏2007-06-04T08:08:30Z |
Hi Guru's
I have installed IBM HTTP Server and WAS 6.1 on Linux system. I have also followed IBM docs to setup SSL. I am still unable to use https://servername/snoop. I have tried re-generating the Plugin file, but the plugin logs shows an error: r_gsk_secure_soc_init BAD_CERT.
Can anyone help me with this. You can send me any docs to recheck the SSL configuration.

Thanks
Fabian
Updated on 2012-05-31T19:19:43Z at 2012-05-31T19:19:43Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    3908 Posts
    ACCEPTED ANSWER

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-04T11:38:30Z  in response to SystemAdmin
    Is it a gsk rc = 414?

    If so, this link may help.

    http://publib.boulder.ibm.com/infocenter/wasinfo/v4r0/index.jsp?topic=/com.ibm.sup%0D%0Aport.was40.doc/html/Plug_in/swg21215867.html

    Unfortunately, it is old (v4), and may be a little confusing. Anyone know of a better link for this? The issue has been discussed here in the past, you could do a search.
    • SystemAdmin
      SystemAdmin
      3908 Posts
      ACCEPTED ANSWER

      Re: IBM HTTP Server + WAS 6.1

      ‏2007-06-04T11:54:48Z  in response to SystemAdmin
      Thanks for the link.
      I have followed the steps given in the link, but no help. Also I would like to inform that I have followed the steps given in the Doc, Configuring IBM HTTP server for SSL, to enable SSL.
      Your inputs would be appreciated.

      Thanks
      Fabian
  • SystemAdmin
    SystemAdmin
    3908 Posts
    ACCEPTED ANSWER

    Re: IBM HTTP Server + WAS 6.1

    ‏2007-06-04T14:05:03Z  in response to SystemAdmin
    Can you verify the virtual host that snoop is using and then verify that
    port 443 has been defined to hosta aliases in the virtual host. If not then
    do so, regenerate the plug-in and restart everything.

    • Sunit

    <fabianchettiar@gmail.com> wrote in message
    news:1498611351.1180944541643.JavaMail.wassrvr@ltsgwas009.sby.ibm.com...
    > Hi Guru's
    > I have installed IBM HTTP Server and WAS 6.1 on Linux system. I have also
    > followed IBM docs to setup SSL. I am still unable to use
    > https://servername/snoop. I have tried re-generating the Plugin file, but
    > the plugin logs shows an error: r_gsk_secure_soc_init BAD_CERT.
    > Can anyone help me with this. You can send me any docs to recheck the SSL
    > configuration.
    >
    > Thanks
    > Fabian

    • SystemAdmin
      SystemAdmin
      3908 Posts
      ACCEPTED ANSWER

      Re: IBM HTTP Server + WAS 6.1

      ‏2007-06-04T14:50:02Z  in response to SystemAdmin
      Hi Sunit,
      I am able to get
      http://servername/snoop
      http://servername:9080/snoop
      https://servername:9443/snoop

      But unable to get https://servername/snoop

      Port 443 is already defined in environment->virtualhosts->hostaliases.

      The httpd.conf file entries are listed below:

      LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
      Listen 443
      <VirtualHost *:443>
      Keyfile "/opt/IBM/HTTPServer/BM/serverkey.kdb"
      SSLEnable
      SSLClientAuth 0

      Also I have tried this:

      <IfModule mod_ibm_ssl.c>
      Listen 443
      <VirtualHost *:443>
      SSLEnable
      </VirtualHost>
      </IfModule>
      SSLDisable
      KeyFile "/opt/IBM/HTTPServer/serverkey.kdb"

      I have tried both the settings one at a time. But to no luck. I am also attaching the plugin log file for your reference.
      Updated on 2007-06-04T14:50:02Z at 2007-06-04T14:50:02Z by SystemAdmin
      • SystemAdmin
        SystemAdmin
        3908 Posts
        ACCEPTED ANSWER

        Re: IBM HTTP Server + WAS 6.1

        ‏2007-06-04T15:41:51Z  in response to SystemAdmin
        Are you able to connect to https://servername? For troubleshooting purposes,
        comment out the WAS plugin from httpd.conf and try connecting to the
        webserver alone with HTTPS. Once this works correctly, re-enable the WAS
        plug-in and restart IHS. See error_log for any errors.

        • Sunit

        <fabianchettiar@gmail.com> wrote in message
        news:1778597484.1180968632414.JavaMail.wassrvr@ltsgwas010.sby.ibm.com...
        > Hi Sunit,
        > I am able to get
        > http://servername/snoop
        > http://servername:9080/snoop
        > https://servername:9443/snoop
        >
        > But unable to get https://servername/snoop
        >
        > Port 443 is already defined in environment->virtualhosts->hostaliases.
        >
        > The httpd.conf file entries are listed below:
        >
        > LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
        > Listen 443
        > <VirtualHost *:443>
        > Keyfile "/opt/IBM/HTTPServer/BM/serverkey.kdb"
        > SSLEnable
        > SSLClientAuth 0
        >
        > Also I have tried this:
        >
        > <IfModule mod_ibm_ssl.c>
        > Listen 443
        > <VirtualHost *:443>
        > SSLEnable
        > </VirtualHost>
        > </IfModule>
        > SSLDisable
        > KeyFile "/opt/IBM/HTTPServer/serverkey.kdb"
        >
        > I have tried both the settings one at a time. But to no luck. I am also
        > attaching the plugin log file for your reference.

        • SystemAdmin
          SystemAdmin
          3908 Posts
          ACCEPTED ANSWER

          Re: IBM HTTP Server + WAS 6.1

          ‏2007-06-05T06:44:27Z  in response to SystemAdmin
          Hi Sunit,
          I am able to use https://servername without any issues. Also i have tried the suggestions given by you to comment out the Plugin file in httpd.conf file but no luck.
          Also checked the http_plugin.log still get the same (ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414)) error message.

          Also can anyone let me know is there is any support site from IBM where I can log a call for this and get inputs from them.

          Thanks for all the inputs.
          Fabian
          • SystemAdmin
            SystemAdmin
            3908 Posts
            ACCEPTED ANSWER

            Re: IBM HTTP Server + WAS 6.1

            ‏2007-06-05T13:32:20Z  in response to SystemAdmin
            fabianchettiar@gmail.com wrote:
            > Hi Sunit,
            > I am able to use https://servername without any issues. Also i have tried the suggestions given by you to comment out the Plugin file in httpd.conf file but no luck.
            > Also checked the http_plugin.log still get the same (ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414)) error message.
            >
            > Also can anyone let me know is there is any support site from IBM where I can log a call for this and get inputs from them.
            >
            > Thanks for all the inputs.
            > Fabian

            Depending on where you were in the handshake, either WAS can't validate
            the SSL certificate used by the plugin or the other way around.

            Check expiration and trust chain.
            • SystemAdmin
              SystemAdmin
              3908 Posts
              ACCEPTED ANSWER

              Re: IBM HTTP Server + WAS 6.1

              ‏2007-06-10T05:55:28Z  in response to SystemAdmin
              Hi Eric,
              I have checked the expiry date of the SSL certificate and trust chain. I would like to recheck the trust chain, please let me know how to do that.

              Regards
              Fabian
              • SystemAdmin
                SystemAdmin
                3908 Posts
                ACCEPTED ANSWER

                Re: IBM HTTP Server + WAS 6.1

                ‏2007-06-10T13:05:27Z  in response to SystemAdmin
                fabianchettiar@gmail.com wrote:
                > Hi Eric,
                > I have checked the expiry date of the SSL certificate and trust chain. I would like to recheck the trust chain, please let me know how to do that.
                >
                > Regards
                > Fabian

                Every cert contains a subject and issuer. On top-level certificate
                authorities certificates, the subject and issuer are the same.

                You declare that you trust a given certificate authority by including it
                in your KDB 'signer certs'section and having the "trusted" box checked.

                Any other certificate your server comes in contact with must be able to
                trace back to a certificate authority that you already trust.
                Simplified, when you make a conncetion from the plugin to WAS, whoever
                issued/signed the WAS certificate must exist as a trusted cert authority
                in your plugin KDB file.

                The opposite may also be true, but usually the plugin does not provide a
                client certificate to WAS.
          • SystemAdmin
            SystemAdmin
            3908 Posts
            ACCEPTED ANSWER

            Re: IBM HTTP Server + WAS 6.1

            ‏2007-06-05T19:34:47Z  in response to SystemAdmin
            Make sure that the certificate used by WAS is in the kdb file used by plugin
            as a signer certificate. You will have to see the plugin config file to find
            the name of kdb file you are using. This happening because your
            configuration is using SSL between IHS and WAS. It is possible to use SSL
            only between browser and IHS.

            • Sunit

            <fabianchettiar@gmail.com> wrote in message
            news:1480048345.1181025908733.JavaMail.wassrvr@ltsgwas009.sby.ibm.com...
            > Hi Sunit,
            > I am able to use https://servername without any issues. Also i have tried
            > the suggestions given by you to comment out the Plugin file in httpd.conf
            > file but no luck.
            > Also checked the http_plugin.log still get the same (ERROR: lib_stream:
            > openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc =
            > 414)) error message.
            >
            > Also can anyone let me know is there is any support site from IBM where I
            > can log a call for this and get inputs from them.
            >
            > Thanks for all the inputs.
            > Fabian

            • SystemAdmin
              SystemAdmin
              3908 Posts
              ACCEPTED ANSWER

              Re: IBM HTTP Server + WAS 6.1

              ‏2007-06-10T06:14:00Z  in response to SystemAdmin
              Hi Sunit,
              I checked the kdb file used by the plugin file as a signer certificate. I have also checked the name of the kdb file but issue persists.

              Regards
              Fabian
              • SystemAdmin
                SystemAdmin
                3908 Posts
                ACCEPTED ANSWER

                Re: IBM HTTP Server + WAS 6.1

                ‏2007-06-11T15:35:41Z  in response to SystemAdmin
                ??? I checked the kdb file used by the plugin file as a signer certificate.

                Sunit

                <fabianchettiar@gmail.com> wrote in message
                news:1666892220.1181456070344.JavaMail.wassrvr@ltsgwas009.sby.ibm.com...
                > Hi Sunit,
                > I checked the kdb file used by the plugin file as a signer certificate. I
                > have also checked the name of the kdb file but issue persists.
                >
                > Regards
                > Fabian

          • SystemAdmin
            SystemAdmin
            3908 Posts
            ACCEPTED ANSWER

            Re: IBM HTTP Server + WAS 6.1

            ‏2007-06-05T19:37:42Z  in response to SystemAdmin
            Fabian,

            Earlier, I pointed you to a link that fixes a similar problem. I had this happen last month with the same symtoms as yours and it fixed mine. That link was for V4 and was rather confusing. I have documented the steps I took below:

            fred

            The following error is generated if your WebSphere Application Server SSL
            certificate is not trusted by the WebSphere Application Server Plugin
            configured for the IBM HTTP Server:

            ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init:
            GSK_ERROR_BAD_CERT(gsk rc = 414)

            To fix this error:

            Extract the default Personal Certificate
            1. Login to the WebSphere Application Server Administrative Console
            2. Select Security > SSL certificate and key management > Key Stores and certificates
            3. Select NodeDefaultKeyStore for a stand-alone deployment or
            CellDefaultKeyStore for a network deployment.
            4. Click Personal Certificates, select the default check box, and then click Extract.
            5. Give the extracted file a path and name, such as: /root/defaultCert.ARM.
            Note: The convention is to give the file a .ARM extension.
            6. Leave encoding set to Base64.
            7. Click OK.

            Locate your *.kdb file
            1. In the httpd.conf file, find the directory in which the plugin-cfg.xml file is
            stored by searching for the WebSpherePluginConfig line. It should look something like this:
            WebSpherePluginConfig "/opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-cfg.xml"
            2. Find the directory in which the key database file (*.kdb) is stored by searching
            for the term "keyring" in the plugin-cfg.xml file. For example:
            <Property Name="keyring" Value="/opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb"/>
            Note this location as you will need to use it later.

            Add the extracted certificate to your key database file
            1. Go to the directory for ikeyman and start it:
            cd /opt/IBM/HTTPServer/bin
            ./ikeyman
            2. Click Key Database File > Open, and then select a key database type of CMS.
            3. Specify the filename and loacation you found above. For example: plugin-key.kdb and
            /opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb
            4. Click OK, and then enter the password. Note: If you have not given this file another password,
            the default password from WebSphere Application Server is WebAS (case sensitive).
            5. Click Personal Certificates drop down and then select Signer Certificates.
            6. Click Add.
            7. Browse to the file you exported with the extension *.ARM, Select it, then Open and click OK. Supply a name if prompted.
            8. Select Key Database File > Save As and save to the original location.
            9. Select Key Database File > Exit.
            10. Restart the IBM HTTP Server.

            • SystemAdmin
              SystemAdmin
              3908 Posts
              ACCEPTED ANSWER

              Re: IBM HTTP Server + WAS 6.1

              ‏2007-06-10T06:17:45Z  in response to SystemAdmin
              Hi Fred,
              I have tried all the steps given by you but the issue persists. Fred, I would like to know this step:

              Select Key Database File > Save As and save to the original location.

              At this point you would want me to save the file with the default name (key.kdb)and the default location. I have done this but issue persists.

              Regards
              Fabian
              • SystemAdmin
                SystemAdmin
                3908 Posts
                ACCEPTED ANSWER

                Re: IBM HTTP Server + WAS 6.1

                ‏2007-06-10T21:19:36Z  in response to SystemAdmin
                >> Select Key Database File > Save As and save to the original location.

                That was confusing to me too. When I was preparing SSL, I used ikeyman as well, and created a key database using the default key.kdb and put it in the default /bin directory.

                Then, later, I encountered the problem you have and started following directions to work on the /opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb file instead of the one I made earlier. That was the one my plugin-cfg.xml file pointed me to.

                What I meant in that step was to save it back to the same name you opend it as: /opt/IBM/HTTPServer/Plugins1/config/webserver1/plugin-key.kdb (ikeyman did not have a save, only a save as).
                • SystemAdmin
                  SystemAdmin
                  3908 Posts
                  ACCEPTED ANSWER

                  Re: IBM HTTP Server + WAS 6.1

                  ‏2007-06-11T14:44:02Z  in response to SystemAdmin
                  Hi Fred,
                  I tried all the steps mentioned but the issue persists. Can you pls send me a link to configure/recheck SSL. Along if you need any other details then please let me know.

                  Regards
                  Fabian
                  • SystemAdmin
                    SystemAdmin
                    3908 Posts
                    ACCEPTED ANSWER

                    Re: IBM HTTP Server + WAS 6.1

                    ‏2007-06-11T14:54:43Z  in response to SystemAdmin
                    http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.ihs.doc/info/ihs/ihs/tihs_setupssl.html
                    • SystemAdmin
                      SystemAdmin
                      3908 Posts
                      ACCEPTED ANSWER

                      Re: IBM HTTP Server + WAS 6.1

                      ‏2007-06-12T14:00:50Z  in response to SystemAdmin
                      Hi Fred,
                      I have followed the same steps but was getting the GSK_ERROR_BAD_CERT(gsk rc = 414) error message.
                      Then I followed the steps given by you to resolve the error but issue persists.

                      Any other inputs would be appreciated.

                      Regards
                      Fabian
                      • SystemAdmin
                        SystemAdmin
                        3908 Posts
                        ACCEPTED ANSWER

                        Re: IBM HTTP Server + WAS 6.1

                        ‏2007-06-13T13:29:16Z  in response to SystemAdmin
                        I'm not sure why it is not working for you. One thing may be the software levels. You may have different requirements, but the system I am working on required fix pack 3:

                        Fixpack 3:
                        6.1.0.3: WebSphere Application Server V6.1.0 Fix Pack 3 for Linux
                        http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24013772

                        Files:
                        6.1.0-WS-AppClient-LinuxX32-FP0000003.pak (not needed in my case)
                        6.1.0-WS-IHS-LinuxX32-FP0000003.pak
                        6.1.0-WS-PLG-LinuxX32-FP0000003.pak
                        6.1.0-WS-WAS-LinuxX32-FP0000003.pak
                        Update Installer:
                        It is best to get the latest Update installer rather than using the launchpad to install the one shipped with WAS 6.1.

                        Update Installer for WebSphere Application Server V6.1 releases
                        http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24012718

                        File: download.updii.6101.linux.ia32.zip

                        Fixpack 3 readme:
                        Readme for IBM WebSphere Application Server version 6.1.0.3
                        http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27008686
                        • SystemAdmin
                          SystemAdmin
                          3908 Posts
                          ACCEPTED ANSWER

                          Re: IBM HTTP Server + WAS 6.1

                          ‏2007-07-01T09:11:18Z  in response to SystemAdmin
                          Hi Fred,
                          I have tried all the suggestions given, also applied fix pack 9. I have tried to recheck and redo the settings, but get the same error message.
                          Fred can you give me the steps to configure SSL, I would like to know if I have followed the right steps.

                          Below are the steps that I have followed to configure SSL.
                          1. Created a new KDB file using the ikeyman utility.
                          2. Created a new Self-Signed certificate.
                          3. Extracted the Cert.arm to a specific folder.
                          4. Added the Cert.arm file
                          5. Configured the httpd.conf file to enable SSL configuration and restarted the HTTP server.
                          6. Configured the Environment settings (Virtual hosts) in WAS and restarted the WAS.

                          Please confirm if the above mentioned steps are correct and enough and let me know if I am missing something.

                          Thanks and regards
                          Fabian
                          • SystemAdmin
                            SystemAdmin
                            3908 Posts
                            ACCEPTED ANSWER

                            Re: IBM HTTP Server + WAS 6.1

                            ‏2007-07-01T13:57:27Z  in response to SystemAdmin
                            fabianchettiar@gmail.com wrote:
                            > Hi Fred,
                            > I have tried all the suggestions given, also applied fix pack 9. I have tried to recheck and redo the settings, but get the same error message.
                            > Fred can you give me the steps to configure SSL, I would like to know if I have followed the right steps.
                            >
                            > Below are the steps that I have followed to configure SSL.
                            > 1. Created a new KDB file using the ikeyman utility.
                            > 2. Created a new Self-Signed certificate.
                            > 3. Extracted the Cert.arm to a specific folder.
                            > 4. Added the Cert.arm file
                            > 5. Configured the httpd.conf file to enable SSL configuration and restarted the HTTP server.
                            > 6. Configured the Environment settings (Virtual hosts) in WAS and restarted the WAS.
                            >
                            > Please confirm if the above mentioned steps are correct and enough and let me know if I am missing something.

                            You weren't very clear in the steps you performed.

                            You have a self-signed certificate being used by WebSphere, in a JKS
                            file. Does the plug-in KDB file "trust" the self-signed issuer?

                            Extract from the WebSphere JKS, "add" in ikeyman gui to the Plugin KDB.
                            • SystemAdmin
                              SystemAdmin
                              3908 Posts
                              ACCEPTED ANSWER

                              Re: IBM HTTP Server + WAS 6.1

                              ‏2007-07-09T09:23:23Z  in response to SystemAdmin
                              Hi Eric,
                              thanks for the info, but I am not very clear on some points.

                              1. I have created the KDB file and not using any jks file.

                              If you could tell me

                              1. What does this mean..Does the plug-in KDB file "trust" the self-signed issuer?
                              2. Extract from the WebSphere JKS, "add" in ikeyman gui to the Plugin KDB ( I am not using any JKS file)

                              It would be very kind if you can explain this to me. Resetting or reconfiguring the SSL is also fine by me. Therefore, I would request you to e-mail me the steps for the setting up the SSL for WAS 6.1.

                              I am able to access this:

                              http://servername
                              http://servername/snoop
                              https://servername
                              https://servername:9443/snoop

                              Unable to access https://servername/snoop

                              Thanks in advance
                              Regards
                              Fabian
                              • SystemAdmin
                                SystemAdmin
                                3908 Posts
                                ACCEPTED ANSWER

                                Re: IBM HTTP Server + WAS 6.1

                                ‏2007-07-09T14:53:29Z  in response to SystemAdmin
                                fabianchettiar@gmail.com wrote:
                                > Hi Eric,
                                > thanks for the info, but I am not very clear on some points.
                                >
                                > 1. I have created the KDB file and not using any jks file.

                                I'd think that if the Application Server has an SSL transport, it would
                                have a JKS file with at least 1 private key.

                                >
                                > If you could tell me
                                >
                                > 1. What does this mean..Does the plug-in KDB file "trust" the self-signed issuer?
                                The KDB has a section called "Signer Certs" that it trusts. If the
                                certificate on the backend appserver isn't signed by one of these known
                                issuers, it won't be accepted. Same as when a browser prompts you about
                                a self-signed cert.

                                > 2. Extract from the WebSphere JKS, "add" in ikeyman gui to the Plugin KDB ( I am not using any JKS file)
                                >

                                Does websphere provide an SSL certificate when you perform a handshake
                                directly? find where it's stored.

                                > It would be very kind if you can explain this to me. Resetting or reconfiguring the SSL is also fine by me. Therefore, I would request you to e-mail me the steps for the setting up the SSL for WAS 6.1.
                                >
                                > I am able to access this:
                                >
                                > http://servername
                                > http://servername/snoop
                                > https://servername
                                > https://servername:9443/snoop
                                >
                                > Unable to access https://servername/snoop
                                >
                                > Thanks in advance
                                > Regards
                                > Fabian
                                • SystemAdmin
                                  SystemAdmin
                                  3908 Posts
                                  ACCEPTED ANSWER

                                  Re: IBM HTTP Server + WAS 6.1

                                  ‏2007-07-21T07:21:14Z  in response to SystemAdmin
                                  Hi Eric,
                                  I have followed all the steps but the issue still persists. It would be of great help, if you could send me the steps to setup SSL.
                                  Resetting or reconfiguring the SSL is also fine by me. It will be of great help if you could send me the steps for the setting up the SSL for WAS 6.1.

                                  Thanks and Regards
                                  Fabian
                                  • SystemAdmin
                                    SystemAdmin
                                    3908 Posts
                                    ACCEPTED ANSWER

                                    Re: IBM HTTP Server + WAS 6.1

                                    ‏2012-05-31T19:19:43Z  in response to SystemAdmin
                                    For this issue please follow the below steps.

                                    Go to WAS console , click webserver -->Plugin properties -->click copy keystore data base.
                                    once you clicked it will propagate the plugin-key.kdb from WAS to plugin path.

                                    Then Recycle the IHS..

                                    Hope you will say thanks to me.. :)