Highlighted
Absent Member.. Absent Member..
Absent Member..
1042 views

I am unable to login via SSO url for HP SM

Hello Experts,

 

 

I have implemented SSO, while I am tryng to login into HP SM via SSO url,,,I am getting below error in sm.log file.

 

Erro:  No SSL certificate was presented by peer.

 

While creating SSO certificates I didn't get a single error. Successfully created.

 

I have attached the log file please help me on this.

 

Regards,

 

Tags (1)
0 Likes
9 Replies
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: I am unable to login via SSO url for HP SM

Hi 

 

What does Tomcat logs says ?? Make sure you copy certificates on web server and make the entries in all necessary files.

 

What version of Tomcat you are using ? are you also using Apache for autologin based on the windows login id.

 

Thanks

Deepesh Tak

Thanks,

Deepesh
0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: I am unable to login via SSO url for HP SM

Dear Deepesh,

 

Here in My environment we have installed SM application in one server and web server in Another server i.e two different machines.

 

I have used Apache Tomcat 7.0 and Apche Http Server 2.2.

 

In Web Server machine, I have 2 webtiers:

one is for normal HP SM webtier i.e http://hostname:8080/HPSM9.4/ess.do or index.do

Another SSO webtier i.e  http://FQDN/SMSSO/ess.do or index.do

 

I have created certificates without any errors from Web Server machine.

For SM application: server and client certificates and 

For SM webtier : only client certificates.

 

I copied the client certficates in webapps folder of SSO.

i.e cacerts and webclient.keystore into webapps folder of SSO.

 

In SM Run folder

cacerts, smclient.keystore,trustedclient.keystore, server.keystore files.

 

Still i am unable to login.

 

Regards,

 

 

 

 

 

 

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: I am unable to login via SSO url for HP SM

Dear Deepesh,

 

I am doubting on OPEN SSL software bits..

 

OS is 64 bit. I need 64 bit OPENSSL files,,where can i download correct files.

 

Regards,

 

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: I am unable to login via SSO url for HP SM

"Erro:  No SSL certificate was presented by peer."

 

This usually means that the client certificate is not correct. I've had many customers get this error and in most cases we need to regenerate the client keystore.

 

To prove this do the following steps I've pasted below. Basically we're testing on the building of success. Each step below will test Single Handshake, Dual Handshake and Dual Handshake with Trusted Clients. When the error/failure occurs you will know what you need to fix. The steps can be tedious, but beneficial in narrowing down which part to fix. 

 

 

A: Confirm we can login to Service Manager with no SSL active
 
1.       Edit the sm.ini file
   a.       Comment out all lines for SSL and trustedsignon
   b.       Add the following parameter: debughttp:1
2.       Save the sm.ini
3.       Stop and restart Service Manager
4.       Edit the <web tier>/WEB-INF/web.xml file
   a.       Set isCustomAuthentication to true
   b.      Set SSL to false
   c.      Set the <param-name>serverHost</param-name> to the FULLY QUALIFIED DOMAIN NAME OF THE SERVER WHERE SM IS RUNNING. Not LOCALHOST
 
                  <param-name>serverHost</param-name>
                  <param-value><FQDN of server where SM is running></param-value>
 
7.       Save the web.xml
8.       Stop the application server
9.       Clear the application server cache
10.   Restart the application server
11.   Launch the web browser and point to the Service Manager login screen
12.   Attempt to login. Are you able to login?
13.  Save the sm.log as sm_noSSL.log
14.  Proceed to Step B below.
 
B:  Confirm Single Handshake SSL
1.       Edit the sm.ini and set the SSL section to look like this (your specfic ssl password parms might be different)
 
ssl:1
ssl_reqClientAuth:0
trustedsignon:0
keystoreFile:server.keystore
keystorePass:serverkeystore
ssl_trustedClientsJKS:trustedclients.keystore
ssl_trustedClientsPwd:trustedclients
truststoreFile:cacerts
truststorePass:changeit
sslConnector:1
debughttp:1
 
2.       Save the sm.ini file
3.       Edit the web.xml and make the following changes
   a.           Set the “isCustomAuthenticationUsed” to true
 
                    <param-name>isCustomAuthenticationUsed</param-name>
                   <param-value>true</param-value>
 
   b.      Set the SSL parm to true
                  
                   <param-name>ssl</param-name>
                   <param-value>true</param-value>
 
   c.       Set the cacerts parm to point to the cacerts file.
 
      <param-name>cacerts</param-name>
      <param-value>/WEB-INF/cacerts</param-value>
 
   d.      Set the client keystore parm to point to the client keystore. Your password may be different.
 
 
      <init-param>
      <param-name>keystore</param-name>
      <param-value/>/WEB-INF/srvitssmt_client.keystore</init-param>
      <!-- Specify the password for the client's private keystore -->
      <init-param>
      <param-name>keystorePassword</param-name>
      <param-value/>clientkeystore</init-param>
 
   e.      Set the <param-name>serverHost</param-name> to the FULLY QUALIFIED DOMAIN NAME OF THE SERVER WHERE SM IS RUNNING. Not LOCALHOST
 
      <param-name>serverHost</param-name>
        <param-value><FQDN of server where SM is running></param-value>
 
5.       Save the web.xml
6.       Stop the application server
7.       Clear the application server cache
8.       Restart the application server
9.       Restart Service Manager
10.   Start the web browser
11.   Point to the SM login page
12.   Login
13.   Do you get? Yes or No
14. Save the sm.log as sm_SIngleHandshake.log
 
C:  Confirm Two Way Handshake SSL
 
1.       Edit the sm.ini and set the SSL section to look like this (your specfic ssl password parms might be different). Basically the only thing we’re updating now is ssl_reClientAuth from 0 to 1
 
ssl:1
ssl_reqClientAuth:1
trustedsignon:0
keystoreFile:server.keystore
keystorePass:serverkeystore
ssl_trustedClientsJKS:trustedclients.keystore
ssl_trustedClientsPwd:trustedclients
truststoreFile:cacerts
truststorePass:changeit
sslConnector:1
debughttp:1
 
2.       Save the sm.ini file
3.       Restart Service Manager
4.   Start the web browser
5.   Point to the SM login page
6.   Login
7.   Do you get? Yes or No
8. Save the sm.log as sm_TwoWayHandshake.log
 
 
😧  Confirm Two Way Handshake SSL with TrustedClients
 
1.       Edit the sm.ini and set the SSL section to look like this (your specfic ssl password parms might be different). Basically the only thing we’re updating now is ssl_reClientAuth from 1 to 2
 
ssl:1
ssl_reqClientAuth:2
trustedsignon:0
keystoreFile:server.keystore
keystorePass:serverkeystore
ssl_trustedClientsJKS:trustedclients.keystore
ssl_trustedClientsPwd:trustedclients
truststoreFile:cacerts
truststorePass:changeit
sslConnector:1
debughttp:1
 
2.       Save the sm.ini file
3.       Restart Service Manager
4.   Start the web browser
5.   Point to the SM login page
6.   Login
7.   Do you get? Yes or No
8. Save the sm.log as sm_TwoWayHandshakeTrustedClients.log

 

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: I am unable to login via SSO url for HP SM

Hi @shehzadraza

 

I just i noticed that you have created certificate from web server which is not correct, you need to create certificate from Application server (if Vertical scaling) or from SM Load balancer (if Horizontal scaling). 

 

Main idea is to create certificate from main server which would your server where webtier is pointing. 

Thanks,

Deepesh
0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: I am unable to login via SSO url for HP SM

Dear Expert,

 

Thank you for your valid response.

 

I will work with all the steps will get back to you soon.

 

Regards,

Shehzad

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: I am unable to login via SSO url for HP SM

Dear Deepesh,

 

Thanks for your input. Just  tried from webtier. But before this I tried by creating certificates from application server only but it doesn't work for me, so just I  have created the certificates from web server side..now i will create from Application server side again and get back to you.

 

Regards,

Shehzad

 

 

 

 

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: I am unable to login via SSO url for HP SM

Hello Experts,

 

I tried the above steps which mentioned ..I am unable to login but instead I have got the login screen for both the normal webtier and SSO webtier...

 

I have attached the log files for evry step,,please check and help me to resolve.

 

Regards,

 

0 Likes
Highlighted
Absent Member.. Absent Member..
Absent Member..

Re: I am unable to login via SSO url for HP SM

Hello Experts,

 

I have attached the sm.log file too. Please advice me.

 

Regards,

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.