SSL Webtier Configuration Issue

Hi Everyone,

I am trying to enable SSL which is successful between SM Server and Windows Client but when try to enable it for Web Tier, I have an strange error in log when try to login...

2900(  4260) 12/15/2015 09:43:09  RTE E GetPreference DOS attack detected! Session will be terminated.

I have followed below source from HP to generate the certificates:

https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM1112808?lang=en&cc=us&hpappid=202392_OSP_PRO_HPE

I have refered to attached docuement for configuration of the same.

 

Help is appreciated please.

  • Hi,

    Please provide the full trace and the version information (SM server/Windows Client/Webtier).

    Thanks

    Desmond

  • Thank you for your response.  The version information is as below:

    Service Manager 9.41.1005 p1 Server

    Service Manager 9.41.1005 p1 WebTier

    Service Manager 9.41.1005 p1 Client

    The traces are attached please.

     

    SM Log SSL WebTier Issue.zip
  • Dear, any success after seeing documents, as I have to update the customer within next 30 minutes or so...

    http Log is also attached please.

    Thank you....

  • QCCR1E126787--SM941 session terminated due to "GetPreference DOS attack detected". It is a security defect, maybe forum is not a good place to discuss, suggest to open a support case to HP support to get further information.

     

    Thanks

    Desmond

  • Just to highlight that I have setupped this all in a vm... Do you think it might be the issue as well...

    So that before opening a support case I should give it a try on physical machine?

  • The VM environment might have something related on the issue. It is worthy to try on physical machine.

  • In the Service Manager sm.ini add the following parameter:  debughttp:1
    Clear the sm.log
    Stop and restart Service Manager Server application

    Stop the application server deploying the webtier
    If this is Tomcat search for and find the sm.log' - because the webtier has its own
    Remove it
    Clear all of the Tomcat logs in the <tomcat>\logs directory
    Start Tomcat
    Attempt to login to the webtier and reproduce the problem

    When the problem occurs tell me what you see on the screen
    Upload the Tomcat logs
    Upload the Webtier sm.log
    Upload the Service Manager Server sm.log
    Upload the Webtier web.xml
    Upload the Service Manager sm.ini

  • Hi Brett,

    Thank you for your response, apologies for the delay, but I missed to check the forum last night.

    Here I am attaching logs and configuration files with screenshot of error.

    Hope for the resolution please.

    Thanks & regards,

    SSL Issue.zip
  • While I cannot explain the original error you're experiencing I can tell you that - specific to SSL - your web.xml is configured incorrectly. On line 718 you will notice <param-name>keystorePassword</param-name>. Beginning with Service Manager 9.34P2 (which includes all of the 9.4x versions) the Webtier keystore password resides within the webtier.properties file. Please make this correction, stop and restart the application server and test logging in with SSL. Please keep the same tracing steps.

    Information on how to configure the webtier.properties file with the client keystore password can be found in the Service Manager Online Help Server. Search for webtier.properties and you will find the needed instructions.

    If, after making this change and testing, the problem continues send in the same logs I mentioned earlier but also include the Service Manager Server sm..cfg and AND the updated web.xml from the webtier.

     

     

  • Hi,

    I have the same error when SSL is enabled between SM Server and SM Webtier (SM 9.41 version) The same SSL configuration works correctly on 9.34.

    I submitted a request to HP Support, but they are useless as always. I did some research and there is a document in HP Knowledge Library which states that:

    TECHNICAL PROBLEM DESCRIPTION: 

    In the case of network latency(Server is in India Lab and Client is in Shanghai Office), when login SM, SM941 session terminated due to "GetPreference DOS attack detected".


    TECHNICAL SOLUTION DESCRIPTION: 

    Change the time that between sending out "getPreferenceResponse" and recieving "startRequest" from 5s to 10s.

     

    But in my opinion, it cannot be the case, because I did all the tests on the same server - so there is no network latency.

    I have also debugged, that the error message comes from SCUserProcessInfo::isExceedGetPreferenceTime function placed in sm.dll.

    For me, the same configuration works correctly on SM 9.34, but fails on 9.41. I guess, that after enabling SSL due to a lot more requests generated (ssl handshaking) SM thinks that is attacked.

    Is anybody have any solution or more info about this? I disabled SSL between SM Server and SM Webtier and I am using SSL only on our front end apache http server, but still it's only the workaround.

    Kind regards,

    Marcin