GetPreference DOS attack detected! Session will be terminated while configuring ssl

Hi experts,

while configuring sso in HPSM and after creating the certificates i face the following repeated issue 

"GetPreference DOS attack detected! Session will be terminated"

which let to that error while logging to the system from web "Service Manager Server is currently not available, please try again later"

attached logs,sm.cfg,sm.ini & Authentication Files

Tags:

Parents
  • Hello Mohammed,

    This message is raised during login:

    There are multiple messages exchanged in sequence. When Service Manager does not receive an expected message for a specific time (10 seconds), it terminates the session.

    As DOS attacks typically do not follow a strict sequence of messages, this could be an indication - however, more typical is that there is just some kind of issue in network that causes a delay or packet loss.

    Best regards,

    Armin

     

  • Dear Afranke

  • So you're configuring SSL between the SM client and the SM server. Is the SM client the webtier or the windows client? I am not sure what version this is, but here aer some things to check.

    1. If the webtier is 9.34 or higher (i.e. 9.4x, 9.5x, 9.6x) ensure that the client.keystore password is in the <tomcat>/webapps/<webtier>/WEB-INF/webtier.properties file. 

    2. If the windows client ensure that the cacerts file being used is the correct one used when generating client keystores

    3. On the SM server ensure that the /RUN/cacerts is the correct one being used for the server.keystore.

    4. If this is a scaled system - meaning you're using the SM SWLB - then you may want to check the RUN\jre\lib\security\cacerts is valid as well.

    The bottom line - as you can see - is that this error is usually indicative of a problem with the truststore (cacerts) when SSL is configured.

  • Dear Brett,

    First of all, thanks alot for your time & recommendations. 

    Regarding the case, I try to secure connection between SM- Web tier -The implementation on sm9.60- and the SM server. 

    1- Checked 

    2- Is there a specific way to ensure this point? i mean is there a debugging parameter to detect this case?

  • 1. Add the following parm to the sm.ini

    debughttp:1

    2. Save the sm.ini

    3. Restart Service Manager

    4. Attempt to make a client connection

    5. Look in the sm.log for more verbose SSL messages.

    If you generated your own SSL certs (i.e. self signed) then more than likely you've got the wrong cacerts in either the webtier's WEB-INF or SM RTE's RUN dir. 

  • Dear Brett,

    I followed your suggestions and attached the logs, sm.ini & sm.log

    SSL Case.zip
  • There is no debug parameter named debugssl therefore the logs are filled with messages saying it doesn't recognize the parm. If you want to add the correct parm it's JVMOption0:-Djavax.net.debug=all. Also, since we've not gotten to trustedsignon yet you should turn that off and jusst work on SSL.

    1. Edit the sm.cfg

    2. Find this line:

    sm -httpPort:13082 -httpsPort:13446 -sslConnector:1 -ssl:1 -ssl_reqClientAuth:2 -trustedsignon:1 -debughttp:1 -log:../logs/SMSSL.log -maxlogsize:5120000 -numberoflogfiles:20

     

    3. Change it to 

    sm -httpPort:13082 -httpsPort:13446 -sslConnector:1 -ssl:1 -ssl_reqClientAuth:2 -trustedsignon:0 -debughttp:1 -JVMOption0:-Djavax.net.debug=all -log:../logs/SMSSL.log -maxlogsize:5120000 -numberoflogfiles:20

    4. Save

    5. Stop Service Manager

    6. Clear the logs

    7. Start Service Manager

    8. Ensure the webtier is connecting to port 13082

    9. Login to the webtier

    10. You'll get an error

    11. Send the logs

     

     

  • Dear Brett,

    I followed your instractions, and attached the logs 

    logs.zip
  • 1. Check the webtier's /WEB-INF/cacerts file and see if the sm cert is present. 

    2. Are the certs self signed? If so generate new server and client certs and implement then test again

  • Can you tell how did you generate the ssl certificate? Using the steps provided by Guide?

    By default SM considers DSA as old algorigthm and set it as disabled. Try the following if it works

    Take a copy of "extra.java.security" file in the SM RUN folder

    Edit it with Text Editor and remove ", DSA" from the "jdk.tls.disabledAlgorithms=" section.

    Restart the SM services and try to connect.

    Hope it helps. if does not help, send the commands that you used for the SSL key generation to check further.

Reply
  • Can you tell how did you generate the ssl certificate? Using the steps provided by Guide?

    By default SM considers DSA as old algorigthm and set it as disabled. Try the following if it works

    Take a copy of "extra.java.security" file in the SM RUN folder

    Edit it with Text Editor and remove ", DSA" from the "jdk.tls.disabledAlgorithms=" section.

    Restart the SM services and try to connect.

    Hope it helps. if does not help, send the commands that you used for the SSL key generation to check further.

Children