GetPreference DOS attack detected! Session will be terminated while configuring ssl
while configuring sso in HPSM and after creating the certificates i face the following repeated issue
"GetPreference DOS attack detected! Session will be terminated"
which let to that error while logging to the system from web "Service Manager Server is currently not available, please try again later"
attached logs,sm.cfg,sm.ini & Authentication Files
This message is raised during login:
There are multiple messages exchanged in sequence. When Service Manager does not receive an expected message for a specific time (10 seconds), it terminates the session.
As DOS attacks typically do not follow a strict sequence of messages, this could be an indication - however, more typical is that there is just some kind of issue in network that causes a delay or packet loss.
Please note that this is just a test environment so i don't think it is related to NW Issue.
And how to make sure of that if this is the case?
So you're configuring SSL between the SM client and the SM server. Is the SM client the webtier or the windows client? I am not sure what version this is, but here aer some things to check.
1. If the webtier is 9.34 or higher (i.e. 9.4x, 9.5x, 9.6x) ensure that the client.keystore password is in the <tomcat>/webapps/<webtier>/WEB-INF/webtier.properties file.
2. If the windows client ensure that the cacerts file being used is the correct one used when generating client keystores
3. On the SM server ensure that the /RUN/cacerts is the correct one being used for the server.keystore.
4. If this is a scaled system - meaning you're using the SM SWLB - then you may want to check the RUN\jre\lib\security\cacerts is valid as well.
The bottom line - as you can see - is that this error is usually indicative of a problem with the truststore (cacerts) when SSL is configured.
First of all, thanks alot for your time & recommendations.
Regarding the case, I try to secure connection between SM- Web tier -The implementation on sm9.60- and the SM server.
2- Is there a specific way to ensure this point? i mean is there a debugging parameter to detect this case?
1. Add the following parm to the sm.ini
2. Save the sm.ini
3. Restart Service Manager
4. Attempt to make a client connection
5. Look in the sm.log for more verbose SSL messages.
If you generated your own SSL certs (i.e. self signed) then more than likely you've got the wrong cacerts in either the webtier's WEB-INF or SM RTE's RUN dir.
There is no debug parameter named debugssl therefore the logs are filled with messages saying it doesn't recognize the parm. If you want to add the correct parm it's JVMOption0:-Djavax.net.debug=all. Also, since we've not gotten to trustedsignon yet you should turn that off and jusst work on SSL.
1. Edit the sm.cfg
2. Find this line:
sm -httpPort:13082 -httpsPort:13446 -sslConnector:1 -ssl:1 -ssl_reqClientAuth:2 -trustedsignon:1 -debughttp:1 -log:../logs/SMSSL.log -maxlogsize:5120000 -numberoflogfiles:20
3. Change it to
sm -httpPort:13082 -httpsPort:13446 -sslConnector:1 -ssl:1 -ssl_reqClientAuth:2 -trustedsignon:0 -debughttp:1 -JVMOption0:-Djavax.net.debug=all -log:../logs/SMSSL.log -maxlogsize:5120000 -numberoflogfiles:20
5. Stop Service Manager
6. Clear the logs
7. Start Service Manager
8. Ensure the webtier is connecting to port 13082
9. Login to the webtier
10. You'll get an error
11. Send the logs
1. Check the webtier's /WEB-INF/cacerts file and see if the sm cert is present.
2. Are the certs self signed? If so generate new server and client certs and implement then test again
Can you tell how did you generate the ssl certificate? Using the steps provided by Guide?
By default SM considers DSA as old algorigthm and set it as disabled. Try the following if it works
Take a copy of "extra.java.security" file in the SM RUN folder
Edit it with Text Editor and remove ", DSA" from the "jdk.tls.disabledAlgorithms=" section.
Restart the SM services and try to connect.
Hope it helps. if does not help, send the commands that you used for the SSL key generation to check further.
Give Kudos if it helps.
2 cents here , try adding IP address & hostname of SM server in host file of the server (windows server default path is (C:\Windows\System32\drivers\etc) ) , log off once form server & try connecting.