Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
384 views

SSL-securing User App on Windows

I've installed IDM User App 4.02 on a Windows 2008 R2 server. It works
fine over the HTTP port, but SSL over 8443 doesn't work. I followed the
documentation at
https://www.netiq.com/documentation/idm402/agpro/data/b2gx72y.html and
used our AD organizational CA to sign the CSR. I don't see anything in
boot.log or server.log to indicate what the problem might be. Where
should I look for clues?

Thanks


Labels (1)
0 Likes
16 Replies
Anonymous_User Absent Member.
Absent Member.

Re: SSL-securing User App on Windows

On 06/17/2014 02:35 PM, Black, Douglas wrote:
> I've installed IDM User App 4.02 on a Windows 2008 R2 server. It works
> fine over the HTTP port, but SSL over 8443 doesn't work. I followed the
> documentation at
> https://www.netiq.com/documentation/idm402/agpro/data/b2gx72y.html and
> used our AD organizational CA to sign the CSR. I don't see anything in
> boot.log or server.log to indicate what the problem might be. Where
> should I look for clues?
>
> Thanks
>
>

Greetings,
Unless you have made changes to the xml files for JBoss, it will by
default utilize:

HTTP -> 8180
HTTPS -> 8543

Without having a server log to look at, it is rather difficult to
provide suggestions.

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL-securing User App on Windows

Steven Williams,

> Unless you have made changes to the xml files for JBoss, it will by
> default utilize:
>
> HTTP -> 8180
> HTTPS -> 8543
>
> Without having a server log to look at, it is rather difficult to
> provide suggestions.
>


I tried both 8443 and 8543. Here is the boot.log:
http://pastebin.com/VTxPEnb4

The server.log is here:
http://pastebin.com/ZdYkd74K


Thanks

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL-securing User App on Windows

On 06/18/2014 09:05 AM, Black, Douglas wrote:
> Steven Williams,
>
>> Unless you have made changes to the xml files for JBoss, it will by
>> default utilize:
>>
>> HTTP -> 8180
>> HTTPS -> 8543
>>
>> Without having a server log to look at, it is rather difficult to
>> provide suggestions.
>>

>
> I tried both 8443 and 8543. Here is the boot.log:
> http://pastebin.com/VTxPEnb4
>
> The server.log is here:
> http://pastebin.com/ZdYkd74K
>
>
> Thanks
>

Greetings,
From the log, jboss is not starting the https listener. I would
double check that you updated the correct server.xml. The one you need
to update based upon the log file is:

C:/novell/idm/jboss/server/IDM/deploy/jbossweb.sar/server.xml

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Highlighted
Anonymous_User Absent Member.
Absent Member.

Re: SSL-securing User App on Windows

Steven Williams,

> From the log, jboss is not starting the https listener. I would
> double check that you updated the correct server.xml. The one you need
> to update based upon the log file is:
>
> C:/novell/idm/jboss/server/IDM/deploy/jbossweb.sar/server.xml
>


Here's my edited server.xml:
http://pastebin.com/zPBxsDvL

I verified that it's in the location you specified.


Thanks

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL-securing User App on Windows

On 06/18/2014 12:58 PM, Black, Douglas wrote:
> Steven Williams,
>
>> From the log, jboss is not starting the https listener. I would
>> double check that you updated the correct server.xml. The one you need
>> to update based upon the log file is:
>>
>> C:/novell/idm/jboss/server/IDM/deploy/jbossweb.sar/server.xml
>>

>
> Here's my edited server.xml:
> http://pastebin.com/zPBxsDvL
>
> I verified that it's in the location you specified.
>
>
> Thanks
>

Greetings,

Here is what you would normally see when https is fully enabled at the
end of the start-up:

[Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8180

[AjpProtocol] Starting Coyote AJP/1.3 on ajp-0.0.0.0-8109

[Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8543

ServerImpl] JBoss (Microcontainer) [5.1.0.GA (build:
SVNTag=JBoss_5_1_0_GA date=200905221053)]


2) Make sure that the password for your keystore file is the same as the
one for the certificate inside. JBoss otherwise will not be able to
read the certificate and hence it will not load the https listener.

3) Please make sure you typed the password correctly in the server.xml

4) Please make sure that you have the correct path and name for the keystore

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL-securing User App on Windows

Steven Williams,
>
> Here is what you would normally see when https is fully enabled at the
> end of the start-up:
>
> [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8180
>
> [AjpProtocol] Starting Coyote AJP/1.3 on ajp-0.0.0.0-8109
>
> [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8543
>
> ServerImpl] JBoss (Microcontainer) [5.1.0.GA (build:
> SVNTag=JBoss_5_1_0_GA date=200905221053)]
>
>
> 2) Make sure that the password for your keystore file is the same as the
> one for the certificate inside. JBoss otherwise will not be able to
> read the certificate and hence it will not load the https listener.
>
> 3) Please make sure you typed the password correctly in the server.xml
>
> 4) Please make sure that you have the correct path and name for the
> keystore
>


The path to the keystore was:
keystoreFile="${jboss.server.home.dir}/conf/keys.keystore"

I thought maybe that, this being a Windows box, it might want
backslashes, so I replaced that with this:
keystoreFile="c:\novell\idm\jboss\server\conf\keys.keystore"

I also ran "keytool -list -v -keystore keys.keystore" from a command
prompt while in that directory, and verified that the password
successfully opened the store.


Still looking...

Thanks




0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL-securing User App on Windows

On 06/18/2014 02:01 PM, Black, Douglas wrote:
> Steven Williams,
>>
>> Here is what you would normally see when https is fully enabled at the
>> end of the start-up:
>>
>> [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8180
>>
>> [AjpProtocol] Starting Coyote AJP/1.3 on ajp-0.0.0.0-8109
>>
>> [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8543
>>
>> ServerImpl] JBoss (Microcontainer) [5.1.0.GA (build:
>> SVNTag=JBoss_5_1_0_GA date=200905221053)]
>>
>>
>> 2) Make sure that the password for your keystore file is the same as the
>> one for the certificate inside. JBoss otherwise will not be able to
>> read the certificate and hence it will not load the https listener.
>>
>> 3) Please make sure you typed the password correctly in the server.xml
>>
>> 4) Please make sure that you have the correct path and name for the
>> keystore
>>

>
> The path to the keystore was:
> keystoreFile="${jboss.server.home.dir}/conf/keys.keystore"
>
> I thought maybe that, this being a Windows box, it might want
> backslashes, so I replaced that with this:
> keystoreFile="c:\novell\idm\jboss\server\conf\keys.keystore"
>
> I also ran "keytool -list -v -keystore keys.keystore" from a command
> prompt while in that directory, and verified that the password
> successfully opened the store.
>
>
> Still looking...
>
> Thanks
>
>
>
>

Greetings,
Is the password for the keystore the same as the password for the
certificate? If not then that will be an issue as I outlined above.



--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL-securing User App on Windows

Steven Williams,

>>

> Greetings,
> Is the password for the keystore the same as the password for the
> certificate? If not then that will be an issue as I outlined above.
>
>


Yes, I used the same password for both. I guess I'll try recreating the
keystore and key, just to be trying something.

Thanks


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL-securing User App on Windows


> Yes, I used the same password for both. I guess I'll try recreating the
> keystore and key, just to be trying something.
>


Same result. I wonder if there's something wrong with the way I'm
signing the cert request... but then why would the keystore accept and
display the signed cert?


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL-securing User App on Windows

Repeated the process for the umpteenth time, this time using iManager
and the vault tree CA to sign the CSR. Same result. <insert long
string of curse words here>



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL-securing User App on Windows

On 06/19/2014 10:04 AM, Black, Douglas wrote:
> Repeated the process for the umpteenth time, this time using iManager
> and the vault tree CA to sign the CSR. Same result. <insert long
> string of curse words here>
>
>
>

Greetings,
I would suggest a Google search and or searching the JBoss Community
Forums if you have not already.

--

Sincerely,
Steven Williams
Lead Software Engineer
NetIQ
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL-securing User App on Windows


If I am reading your server.xml file correctly, you have a "-->" where
it shouldn't be. See the last line below:


<!-- SSL/TLS Connector configuration using the admin devl guide
keystore
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />
-->
<!-- SSL/TLS Connector using custom keystore and OSUWMC-signed
cert -db- >
<Connector protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="100" strategy="ms"
maxHttpHeaderSize="8192"
emptySessionPath="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/keys.keystore"
keystorePass="[REDACTED]" sslProtocol = "TLS" />

-->


--
celsolima
------------------------------------------------------------------------
celsolima's Profile: https://forums.netiq.com/member.php?userid=260
View this thread: https://forums.netiq.com/showthread.php?t=51115

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL-securing User App on Windows

celsolima,

>
> If I am reading your server.xml file correctly, you have a "-->" where
> it shouldn't be. See the last line below:
>


You must not be reading it correctly, because when I removed it, JBoss
failed to load with a "premature end of file" warning.


Thanks though.



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SSL-securing User App on Windows


<!-- SSL/TLS Connector configuration using the admin devl guide keystore
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
keystorePass="rmi+ssl" sslProtocol = "TLS" />
-->
<!-- SSL/TLS Connector using custom keystore and OSUWMC-signed
cert -db- >
<Connector protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="100" strategy="ms"
maxHttpHeaderSize="8192"
emptySessionPath="true"
port="8443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/keys.keystore"
keystorePass="[REDACTED]" sslProtocol = "TLS" />

-->

Problem is, you've opened the comments "<!-- SSL/TLS" then closed it
afterwards.....only removing the final "-->" makes the rest of the file
a comment (hence "end of file" error on startup)....need to also change
"cert -db- >" to "cert -db- -->", then you can remove the last "-->"


--
ScorpionSting
------------------------------------------------------------------------
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=51115

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.