IE reporting ‘the connection to this website is untrusted’ issue

Hi team

 

Good day.

 

 

I need some help about IE reporting ‘the connection to this website is untrusted’ issue.

Customer’s network structure is like the attachment ‘ALM_ucmdb_access_v0.1.vsd’ showed. There are 2 Data Centers in this environment. And, there are 2 UCMDB servers on each DC. The security message does not pop up when only DC 1 servers are up and running. As soon as customer brings any server in DC 2 up, the security message pops up again.

 

UCMDB login page can be showed without that warning. Login to UCMDB via the top layer LB’s VIP, after hit login, the security warning pops up. This is before the loading status is displayed. Click Continue, UCMDB page is loaded successfully.

 

I found there is a known issue(QCCR1H95264) which is similar with customer’s issue and have fixed in 10.11 CUP3. But the customer confirms that he still gets the same error as above.  I also asked customer add a line ‘Permissions: all-permissions’ into MANIFEST.MF in ucmdb server folder. It is followed by ‘http://www.javaquery.com/2013/10/this-application-will-be-blocked-in.html’

But it doesn’t work. I found a specific thing. We tested on 2 workstations. All of them are using IE8. But one’s JRE is 1.7.76 and the other one is 1.7.45.

On the host with JRE 1.7.45, it would show:

But on the host with JRE 1.7.76, it doesn’t show ‘This application will be blocked in a future java security update because the JAR file manifest does not contain the Permissions attribute. Please contact the publisher for more information’.

 

 

 

For UCMDB server’s configuration, the 4 servers have the same UCMDB version, CUP version(10.11 CUP3 now) and configurations.

  1. LDAP settings; done via UCMDB UI
  2. HA settings; add “java.additional.43=-Djgroups.bind_addr=<ip_address>” into E:\HP\UCMDB\UCMDBServer\bin\wrapper.conf file on all 4 servers where the <ip_address> is replaced with the IP address of the respective server.
  3. DB connection setting;  all 4 servers have the same connection files (E:\HP\UCMDB\UCMDBServer\conf\jdbc.properties  and E:\HP\UCMDB\UCMDBServer\conf\ucmdb-tnsnames.ora)
  4. Customer’s Root certificate is imported to E:\HP\UCMDB\UCMDBServer\bin\jre\lib\security\cacerts as trusted certificate.

 

In regards to LB’s configuration, the customer said the LB between DCs are the same and the correct certificate is installed. The certificate used is CA signed certificate. The LB’s public certificate is imported to E:\HP\UCMDB\UCMDBServer\bin\jre\lib\security\cacerts as trusted certificate on 4 servers. The certificate is also imported to IE’s trusted root certificate. They don’t believe it is the LB configuration issue because the error message that they are getting.; “JAR file manifest does not contain the Permissions attribute” error.

 

I checked more on customer’s environment. The load balancer does the certificate stripping. The traffic from client web browser is via HTTPS. When it hits the LB, the LB remove the certificate and pass the traffic to UCMDB server via http.

 

I suspect the issue is not on ucmdb side but on load balance now. But if we are going to say the issue is in the load balancer side, we need to advise the customer which configuration that needs to be checked. Or, what information from the load balancer side that we need before we say it is the load balance’s configuration issue?

Could you please give me an advice?

ALM_UCMDB_Access_v0.1.zip