Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Mohamed_Halim Valued Contributor.
Valued Contributor.
875 views

GetPreference DOS attack detected! Session will be terminated while configuring ssl

Hi experts,

while configuring sso in HPSM and after creating the certificates i face the following repeated issue 

"GetPreference DOS attack detected! Session will be terminated"

which let to that error while logging to the system from web "Service Manager Server is currently not available, please try again later"

attached logs,sm.cfg,sm.ini & Authentication Files

Labels (4)
0 Likes
11 Replies
Micro Focus Expert
Micro Focus Expert

Re: GetPreference DOS attack detected! Session will be terminated while configuring ssl

Hello Mohammed,

This message is raised during login:

There are multiple messages exchanged in sequence. When Service Manager does not receive an expected message for a specific time (10 seconds), it terminates the session.

As DOS attacks typically do not follow a strict sequence of messages, this could be an indication - however, more typical is that there is just some kind of issue in network that causes a delay or packet loss.

Best regards,

Armin

 

0 Likes
Mohamed_Halim Valued Contributor.
Valued Contributor.

Re: GetPreference DOS attack detected! Session will be terminated while configuring ssl

Dear Afranke

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: GetPreference DOS attack detected! Session will be terminated while configuring ssl

So you're configuring SSL between the SM client and the SM server. Is the SM client the webtier or the windows client? I am not sure what version this is, but here aer some things to check.

1. If the webtier is 9.34 or higher (i.e. 9.4x, 9.5x, 9.6x) ensure that the client.keystore password is in the <tomcat>/webapps/<webtier>/WEB-INF/webtier.properties file. 

2. If the windows client ensure that the cacerts file being used is the correct one used when generating client keystores

3. On the SM server ensure that the /RUN/cacerts is the correct one being used for the server.keystore.

4. If this is a scaled system - meaning you're using the SM SWLB - then you may want to check the RUN\jre\lib\security\cacerts is valid as well.

The bottom line - as you can see - is that this error is usually indicative of a problem with the truststore (cacerts) when SSL is configured.

0 Likes
Mohamed_Halim Valued Contributor.
Valued Contributor.

Re: GetPreference DOS attack detected! Session will be terminated while configuring ssl

Dear Brett,

First of all, thanks alot for your time & recommendations. 

Regarding the case, I try to secure connection between SM- Web tier -The implementation on sm9.60- and the SM server. 

1- Checked 

2- Is there a specific way to ensure this point? i mean is there a debugging parameter to detect this case?

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: GetPreference DOS attack detected! Session will be terminated while configuring ssl

1. Add the following parm to the sm.ini

debughttp:1

2. Save the sm.ini

3. Restart Service Manager

4. Attempt to make a client connection

5. Look in the sm.log for more verbose SSL messages.

If you generated your own SSL certs (i.e. self signed) then more than likely you've got the wrong cacerts in either the webtier's WEB-INF or SM RTE's RUN dir. 

0 Likes
Mohamed_Halim Valued Contributor.
Valued Contributor.

Re: GetPreference DOS attack detected! Session will be terminated while configuring ssl

Dear Brett,

I followed your suggestions and attached the logs, sm.ini & sm.log

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: GetPreference DOS attack detected! Session will be terminated while configuring ssl

There is no debug parameter named debugssl therefore the logs are filled with messages saying it doesn't recognize the parm. If you want to add the correct parm it's JVMOption0:-Djavax.net.debug=all. Also, since we've not gotten to trustedsignon yet you should turn that off and jusst work on SSL.

1. Edit the sm.cfg

2. Find this line:

sm -httpPort:13082 -httpsPort:13446 -sslConnector:1 -ssl:1 -ssl_reqClientAuth:2 -trustedsignon:1 -debughttp:1 -log:../logs/SMSSL.log -maxlogsize:5120000 -numberoflogfiles:20

 

3. Change it to 

sm -httpPort:13082 -httpsPort:13446 -sslConnector:1 -ssl:1 -ssl_reqClientAuth:2 -trustedsignon:0 -debughttp:1 -JVMOption0:-Djavax.net.debug=all -log:../logs/SMSSL.log -maxlogsize:5120000 -numberoflogfiles:20

4. Save

5. Stop Service Manager

6. Clear the logs

7. Start Service Manager

8. Ensure the webtier is connecting to port 13082

9. Login to the webtier

10. You'll get an error

11. Send the logs

 

 

0 Likes
Mohamed_Halim Valued Contributor.
Valued Contributor.

Re: GetPreference DOS attack detected! Session will be terminated while configuring ssl

Dear Brett,

I followed your instractions, and attached the logs 

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: GetPreference DOS attack detected! Session will be terminated while configuring ssl

1. Check the webtier's /WEB-INF/cacerts file and see if the sm cert is present. 

2. Are the certs self signed? If so generate new server and client certs and implement then test again

0 Likes
Highlighted
Super Contributor.. HPSW_Consult Super Contributor..
Super Contributor..

Re: GetPreference DOS attack detected! Session will be terminated while configuring ssl

Can you tell how did you generate the ssl certificate? Using the steps provided by Guide?

By default SM considers DSA as old algorigthm and set it as disabled. Try the following if it works

Take a copy of "extra.java.security" file in the SM RUN folder

Edit it with Text Editor and remove ", DSA" from the "jdk.tls.disabledAlgorithms=" section.

Restart the SM services and try to connect.

Hope it helps. if does not help, send the commands that you used for the SSL key generation to check further.

Thanks.

Give Kudos if it helps.
Tags (3)
0 Likes
Honored Contributor.. NeoJax Honored Contributor..
Honored Contributor..

Re: GetPreference DOS attack detected! Session will be terminated while configuring ssl

Hi Mohamed_Halim,

2 cents here , try adding IP address & hostname of SM server in host file of the server (windows server default path is (C:\Windows\System32\drivers\etc) ) , log off once form server & try connecting.

Thanks

Neo

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.