ScorpionSting Absent Member.
Absent Member.
2547 views

aaf 6 server admin


  1. Put trusted CA's into JKS store via web ui
  2. Imported pfx as web server cert via web ui
  3. Set imported cert as active
  4. Rebooted
  5. Connection Close on :9443


    ps -ef | grep 9443 shows it as listening...

    Where can I look/troubleshoot this?

Visit my Website for links to Cool Solution articles.
0 Likes
16 Replies
ScorpionSting Absent Member.
Absent Member.

Re: aaf 6 server admin

openssl s_client -connect xxxx.xxxx.xxxx:9443

correctly returns cert chain.

Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: aaf 6 server admin

Fresh look and I've found related "stuff":

aaf:/opt/novell/common-services/start.d # cat ssl.ini
# ---------------------------------------
# Module: ssl
--module=ssl
### SSL Keystore Configuration
# define the port to use for secure redirection
jetty.secure.port=9443


## Setup a demonstration keystore and truststore
jetty.keystore=/vastorage/conf/certs/keystore
jetty.truststore=/vastorage/conf/certs/keystore


## Set the demonstration passwords.
## Note that OBF passwords are not secure, just protected from casual observation
## See http://www.eclipse.org/jetty/documentation/current/configuring-security-secure-passwords.html
jetty.keystore.password=changeit
jetty.keymanager.password=changeit
jetty.truststore.password=changeit


### Set the client auth behavior
## Set to true if client certificate authentication is required
# jetty.ssl.needClientAuth=true
## Set to true if client certificate authentication is desired
# jetty.ssl.wantClientAuth=true


## Parameters to control the number and priority of acceptors and selectors
# ssl.selectors=1
# ssl.acceptors=2
# ssl.selectorPriorityDelta=0
# ssl.acceptorPriorityDelta=0
aaf:/opt/novell/common-services/start.d # cat https.ini
# ---------------------------------------
# Module: https
--module=https
## HTTPS Configuration
# HTTP port to listen on
https.port=9443
# HTTPS idle timeout in milliseconds
https.timeout=30000
# HTTPS Socket.soLingerTime in seconds. (-1 to disable)
# https.soLingerTime=-1


aaf:/opt/novell/common-services/start.d # cat server.ini
# ---------------------------------------
# Module: server
--module=server
##
## Server Threading Configuration
##
# minimum number of threads
threads.min=10
# maximum number of threads
threads.max=200
# thread idle timeout in milliseconds
threads.timeout=60000
# buffer size for output
jetty.output.buffer.size=32768
# request header buffer size
jetty.request.header.size=8192
# response header buffer size
jetty.response.header.size=8192
# should jetty send the server version header?
jetty.send.server.version=true
# should jetty send the date header?
jetty.send.date.header=false
# What host to listen on (leave commented to listen on all interfaces)
#jetty.host=myhost.com
# Dump the state of the Jetty server, components, and webapps after startup
jetty.dump.start=false
# Dump the state of the Jetty server, before stop
jetty.dump.stop=false
# Enable delayed dispatch optimisation
jetty.delayDispatchUntilContent=false


I did a check of keystore, and all is good in there... Have now worked out its jetty, so this is a bit more helpful:

aaf:/opt/novell/common-services/start.d # ps -ef | grep -i jetty
vabase-+ 2615 1 0 Jun05 ? 00:05:21 /usr/bin/java -Dfile.encoding=UTF-8 -Djava.rmi.server.useCodebaseOnly=false -Dcom.ibm.security.jurisdictionPolicyDir=/usr/lib64/jvm-private/ibm/unrestricted -Drrdrest.properties=/opt/novell/common-services/etc/rrdrest.properties -Dncconfigclient.properties=/opt/novell/common-services/etc/ncconfigclient.properties -Djetty.logs=/opt/novell/jetty9/logs -Djetty.home=/opt/novell/jetty9 -Djetty.base=/opt/novell/common-services -Djava.io.tmpdir=/var/opt/novell/jetty/work -jar /opt/novell/jetty9/start.jar jetty.state=/opt/novell/common-services/jetty.state /opt/novell/common-services/etc/jetty.d/jetty-logging.xml /opt/novell/common-services/etc/jetty.d/jetty-rrdrest.xml
root 12603 12545 0 Jun05 ? 00:04:36 /usr/lib/jvm/java-1.8-openjdk/jre/bin/java -Dfile.encoding=utf-8 -Duser.language=en -Djava.io.tmpdir=/opt/symdb/tmp -Dorg.eclipse.jetty.server.Request.maxFormContentSize=800000 -Dorg.eclipse.jetty.server.Request.maxFormKeys=100000 -Dsym.keystore.file=/opt/symdb/security/keystore -Djavax.net.ssl.trustStore=/opt/symdb/security/cacerts -Djavax.net.ssl.keyStorePassword=changeit -Dlog4j.configuration=file:/opt/symdb/conf/log4j.xml -Djava.util.logging.config.file=conf/logging.properties -Dsun.net.client.defaultReadTimeout=300000 -Dsun.net.client.defaultConnectTimeout=300000 -Djava.net.preferIPv4Stack=true -Dcom.ibm.as400.access.AS400.guiAvailable=false -Dsymmetric.ssl.ignore.ciphers=TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/opt/symdb/tmp -cp /opt/symdb/patches:/opt/symdb/patches/*:/opt/symdb/lib/*:/opt/symdb/web/WEB-INF/lib/* org.jumpmind.symmetric.SymmetricLauncher --secure-port 8080 --secure-server
root 123703 123199 0 22:12 pts/0 00:00:00 grep --color=auto -i jetty


Then /opt/novell/common-services/etc/jetty.d/jetty-logging.xml gives me /var/opt/novell/jetty/logs and they say it loaded fine:

2018-06-05 08:38:37.457:INFO:oejs.ServerConnector:main: Started ServerConnector@e1c9359d{HTTP/1.1}{0.0.0.0:9090}
2018-06-05 08:38:38.558:INFO:oejs.ServerConnector:main: Started ServerConnector@1a09914{SSL-http/1.1}{0.0.0.0:9443}
2018-06-05 08:38:38.559:INFO:oejs.Server:main: Started @17906ms
2018-06-05 08:38:38.559:INFO:oejs.Server:main: jetty-9.2.15.v20160210
2018-06-05 08:38:38.560:INFO:oejdp.ScanningAppProvider:main: Deployment monitor [file:/opt/novell/common-services/contexts_ganglia/] at interval 5
2018-06-05 08:38:38.751:INFO:oejs.AbstractNCSARequestLog:main: Opened /var/opt/novell/jetty/logs/2018_06_05.rrdrest.request.log
Jun 05, 2018 8:38:38 AM com.sun.jersey.api.core.PackagesResourceConfig init
INFO: Scanning for root resource and provider classes in the packages:
com.novell.rrdrest
Jun 05, 2018 8:38:38 AM com.sun.jersey.api.core.ScanningResourceConfig logClasses
INFO: Root resource classes found:
class com.novell.rrdrest.api.RrdRest
class com.novell.rrdrest.api.RrdOfflineRest
Jun 05, 2018 8:38:38 AM com.sun.jersey.api.core.ScanningResourceConfig logClasses
INFO: Provider classes found:
class com.novell.rrdrest.data.contextresolver.RrdRestContextResolver
Jun 05, 2018 8:38:38 AM com.sun.jersey.server.impl.application.WebApplicationImpl _initiate
INFO: Initiating Jersey application, version 'Jersey: 1.13 06/29/2012 05:14 PM'
configuring for natural JSON notation
2018-06-05 08:38:39.714:INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContext@1101f090{/rrdrest,file:/var/opt/novell/jetty/work/jetty-0.0.0.0-7380-rrdrest.war-_rrdrest-any-1274126061713639647.dir/webapp/,AVAILABLE}{/opt/novell/common-services/gangliaapps/rrdrest.war}
2018-06-05 08:38:39.714:INFO:oejs.ServerConnector:main: Started ServerConnector@f8dc7107{HTTP/1.1}{0.0.0.0:7380}
2018-06-05 08:38:39.715:INFO:oejs.Server:main: Started @19062ms


But log says zilch when I try to access URL 😞

Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: aaf 6 server admin

It's Chrome being an a*ho*e

Even clearing HSTS from chrome://net-internals/#hsts and same thing happens...cleared cookies, no difference...

I really really don't want to have to clear entire Chrome cache/cookies....wish they'd offer a feature like Firefox to "forget site"....

Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: aaf 6 server admin

Interesting....

Tried it with Chrome on my work laptop (which is locked down from sync, extensions, etc) and I've never hit this URL on it, but I get the same Connection Close....

Konqueror loaded up fine.

IE 11 on Windows 10 reports:

Error Code: INET_E_DOWNLOAD_FAILURE


Edge reports something a little more helpful, if not contradictory:

This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.

Your TLS security settings aren’t set to the defaults, which could also be causing this error.


IE 11 on Windows 7 connects.

Those that connect have cert path as fine.

I mean, wtf?

Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: aaf 6 server admin

Switched back to self-signed and loads up...

Now, here's the thing...:

Self Signed Algorithm: PKCS #1 SHA-256 With RSA Encryption

My Cert Algorithm: X9.62 ECDSA Signature with SHA-512

So, it seems to be that ECDSA is not supported on a brand new security product....ummm!?!

But it will work for the AAF app itself....ummmm!?!

Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: aaf 6 server admin

The AAF App connects as:

The connection to this site is encrypted and authenticated using TLS 1.2 (a strong protocol),ECDHE_RSA with P-256 (a strong key exchange), and AES_256_GCM (a strong cipher).


The -Dsymmetric.ssl.ignore.ciphers parameter for Jetty doesn't appear to disable this cipher:



  • SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  • SSL_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA



Which is not:



  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384


*sighs*

Visit my Website for links to Cool Solution articles.
0 Likes
Knowledge Partner
Knowledge Partner

Re: aaf 6 server admin

Or is it the web browser that dont like the certificate.
Chrome apparently discussed to depricate the sha 512 version.
https://www.chromestatus.com/feature/5725838074970112
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: aaf 6 server admin

joakim_ganse;2482230 wrote:
Or is it the web browser that dont like the certificate.
Chrome apparently discussed to depricate the sha 512 version.
https://www.chromestatus.com/feature/5725838074970112


As per my other post, the same cert works with AAF app, just not the Jetty server admin....so not the cert...yet

Visit my Website for links to Cool Solution articles.
0 Likes
Knowledge Partner
Knowledge Partner

Re: aaf 6 server admin

Good.
I guess you have a SR open for this.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: aaf 6 server admin

joakim_ganse;2482230 wrote:
Or is it the web browser that dont like the certificate.
Chrome apparently discussed to depricate the sha 512 version.
https://www.chromestatus.com/feature/5725838074970112



https://bugs.chromium.org/p/chromium/issues/detail?id=655318

This change does /not/ affect which certificates will be accepted. SHA-1 in certificates has been handled separately. This is to trim the signature algorithms we advertise for the online signature in the TLS protocol itself.


But, I will have to go through and redo all my certs down to 384 anyway... 😞

Visit my Website for links to Cool Solution articles.
0 Likes
Knowledge Partner
Knowledge Partner

Re: aaf 6 server admin

This whole thread seems unusual for you. For the life of me I cannot find
a symptom to troubleshoot.

On 06/05/2018 03:44 AM, ScorpionSting wrote:
>
> - Put trusted CA's into JKS store via web ui
> - Imported pfx as web server cert via web ui
> - Set imported cert as active
> - Rebooted
> - Connection Close on :9443


What do you mean "Connection Close on :9443"? Do you mean it closed when
you rebooted, as clearly that was intended. Do you mean it is still
closed after rebooting? Your next post seems to contradict that.

> ps -ef | grep 9443 shows it as listening...


I doubt that; p shows process information, and I've never seen it reliably
show any kind of networking information. Perhaps you mean 'ss' as shown
below:


sudo /usr/sbin/ss -planeto | grep :9443


> Where can I look/troubleshoot this?


A symptom would help. In your other post you mentioned that you could
make a connection with openssl, which implies that at least through layer
four (4) you are functioning, but how does that differ from whatever you
are troubleshooting? Either it works or it does not, so while that works,
what does not? Was that command executed from the AAF box itself somehow,
or from a client system of yours (hopefully, as that would be a better
case)? If you tried using 'curl' did you see anything useful in terms of
HTTP codes (redirects perhaps)?


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: aaf 6 server admin

ab;2482013 wrote:
This whole thread seems unusual for you. For the life of me I cannot find
a symptom to troubleshoot.

On 06/05/2018 03:44 AM, ScorpionSting wrote:
>
> - Put trusted CA's into JKS store via web ui
> - Imported pfx as web server cert via web ui
> - Set imported cert as active
> - Rebooted
> - Connection Close on :9443


What do you mean "Connection Close on :9443"? Do you mean it closed when
you rebooted, as clearly that was intended. Do you mean it is still
closed after rebooting? Your next post seems to contradict that.


As in Chrome says Connection Close

ab;2482013 wrote:

> ps -ef | grep 9443 shows it as listening...


I doubt that; p shows process information, and I've never seen it reliably
show any kind of networking information. Perhaps you mean 'ss' as shown
below:


sudo /usr/sbin/ss -planeto | grep :9443


I mean netstat -na | grep :9443 (see what happens when you don't copy and paste and try to do 5+ things at the same time....)

ab;2482013 wrote:

> Where can I look/troubleshoot this?


A symptom would help. In your other post you mentioned that you could
make a connection with openssl, which implies that at least through layer
four (4) you are functioning, but how does that differ from whatever you
are troubleshooting? Either it works or it does not, so while that works,
what does not? Was that command executed from the AAF box itself somehow,
or from a client system of yours (hopefully, as that would be a better
case)? If you tried using 'curl' did you see anything useful in terms of
HTTP codes (redirects perhaps)?


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.


Symptom - don't *******in work

Visit my Website for links to Cool Solution articles.
0 Likes
Knowledge Partner
Knowledge Partner

Re: aaf 6 server admin

On 06/05/2018 03:54 PM, ScorpionSting wrote:
>
> As in Chrome says Connection Close


That makes it sound like the connection was open before it was closed.
Seeing that in a LAN/wire trace may be interesting. If AA is killing the
connection, hopefully the logs show it. Maybe this is some kind of
TLS/SSL compatibility, e.g. Chrome supports newer stuff and AA supports
older, or vie versa, so the connection is started and then killed with an
alert about the problem (which you'd see in the LAN/wire trace).

Trying another browser may be useful.

> I mean netstat -na | grep :9443 (see what happens when you don't copy
> and paste and try to do 5+ things at the same time....)


Yes, copy/paste == good, freeform type == bad. Using code tags to show
the output exactly is also good.

Which version of openssl did you use when that worked? Is it from SLES
11, or 12, or openSUSE something? Was it from the box itself, or from
another box outside of the AA box (I presume the latter)? openssl 0.9.8
only supports up through TLS 1.0, where newer versions support up through
TLS 1.2. If the older version worked, perhaps AA uses that too, and
Chrome is rejecting old stuff, or maybe it is all reversed, but that woul
imply a pretty-old version of Chrome.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: aaf 6 server admin

This is my problem....being the new AAF 6 appliance, I don't know WHERE the logs are....I've tried looking around the appliance for obvious locations (and I was initially assuming some form of webyast), but the appliance is all docker and containers which has left me a little lost.

The appliance came with its built in stores and certs, it was changing those through the web UI that 'appeared' to kill the https connection, so I need to look at the logs to find the hint as to why...it was a pfx that I use elsewhere, so I know it in itself is not a problem....may have been the web ui import or some other reason, NEED LOGS!

Visit my Website for links to Cool Solution articles.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.