Question & Answer
Question
Customer has enabled SSL for PMC, REST successfully but failed in enabling SSL for SD SOAP by following the document:
https://www.ibm.com/support/knowledgecenter/en/SSZUMP_7.2.0/management_sym/ssl_sd_soap.html.
The System throws the error:
openssl s_client -connect xxxxxxx.com:9090 -CAfile MyCA.pem
Start Time: 1528378093
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
closed
How to resolve the problem and enable SSL for SD SOAP successfully?
Cause
The port number is verification is not the port of WebServiceGateway, it is the port for SD_ADMIN.
The CA certificate must be imported into WEBGUI's keystore.
Answer
1. The SSL between SD SOAP server and client is for client SD_ADMIN:
-----------------------------------------------------------
CLIENT NAME: SD_ADMIN
DESCRIPTION: soap:TCPIPv4SSL+SSL[CIPHER=AES256-GCM-SHA384,CAFILE=/gpfs/fs1/sym72Share/kernel/conf/VEMKD_CERTIFICATE/cacert.pem]||henry-11.symphony.ibm.com:7875
TTL : 15
LOCATION : 39371@172.30.65.11
USER : Admin
CHANNEL INFORMATION:
CHANNEL STATE
15 CONNECTED
-----------------------------------------------------------
[root@henry-11 conf]# openssl s_client -connect henry-11.symphony.ibm.com:7875 -CAfile VEMKD_CERTIFICATE/cacert.pem
Verify return code: 0 (ok)
To verify If SSL is enabled between SD SOAP server and SD SOAP client, check messages in SD. Here is an example excerpt from the SD log:
sd.adminManager.SdAdminListener - SdAdminListener::init(): The system will enable SSL for the SOAP server using certificate <$HOME/ security/user.pem>, private key <$HOME/security/user.key>, and cipher <ECDHE-ECDSA-AES128-SHA256>.
2. The CA certificate should be imported into WEBGUI's keystore. WEBGUI works as a SOAP client in this case.
Was this topic helpful?
Document Information
Modified date:
12 July 2018
UID
ibm10717191