Issue with SSL setup on F5 HW LB running on 2 applications servers
Hardware Load Balancer
Issue in configuring SSL of the Horizontal Scaling setup on Hardware Load Balancer using Self signed SSL batch files. Environment Setup is F5 HW LB distributing the load to 2 of SM Application Servers with Port 13080
I had followed the attached document and SSL configuration is not success. Generated the server certificates(SM app server) & clients certificates(if HW LB is client) using Approach1. What should be the serverkeystore values in sm.ini of SM App servers?? The windows connection will remain as HW LB FQDN with port 13080. How the certificates generated on SM App servers with aproach1 works with HW LB FQDN???
Can anyone help?
Have anyone tried SSL configured usnig HW LB?
I have done the following steps in Software load balancer it worked perfect.
Software Load Balancer
Configuration of SSL is working fine with the setup on Software Load Balancer Horizontal Scaling using Self signed SSL batch files
To configure SSO & SSL on Software Load Balancer Horizontal Scaling
where primary server will be SM LB(master server) & secondary server are SM App1 , App2 etc... (slave servers)
Step 1: Creating the server certificates:
Run the batch file tso_srv_svlt.bat on primary server in command prompt
This generates cacerts, server.keystore
Copy these files to RUN folder of primary server and update sm.ini as below:
Step 2: Creating the server certificates on slave servers
Run the batch file tso_2_srv_svlt.bat on primary server in command prompt
> tso_cln_svlt.bat <slave servers machine name(FQDN)>
This generates slaveserver.keystore
Copy these files to RUN folder of respective slave servers and update sm.ini as below:
Repeat step 2 with different FQDN of the respective slave servers
Step 3: Creating the client certificates:
Run the batch file tso_cln_svlt.bat on primary server in command prompt:
> tso_cln_svlt.bat <client machine name(FQDN)>
> tso_cln_svlt.bat <FQDN of windows client>
> tso_cln_svlt.bat <FQDN of web client>
Repeat step 3 with different FQDN of the respective clients
Step 4: Test SSL - SM eclipse client
-Launch eclipse client
-Configure SSL information
> Windows > setup environment
>> CA cerficate file (cacerts generated in Step1)
>> Client Key store file (windowsclient.keystore generated in Step3)
>> Client Key store password
- Create new connection
server host name : xxxp.com (Primary SM Server FQDN - SM LB Hostname)
port:13080 (LB Port)
-Advanced tab > use SSL encryption
When SSL connected , the logs should shows as : SSL connection accepted
Please share the similar steps for Hard Load Balancer, if any one has successfully achieved this earlier.
I know these instructions work as I've configured this, but it was quite some time ago. However, in my test I had only one Service Manager Server RTE (I was testing for something else). Yet, I know these will work.
What happens when you try to login? What errors are seen in the logs? You can add debughttp:1 to the sm.ini files and attempt to login. SSL errors will be written to the sm.log where the connection was routed.
Have you tried SSL with HW LB? which approach did you use? SM acts as Server or Client?
debughttp:1 is enabled in sm.ini
I have tried using SM acts as Server and HW LB acts as client( i. e approach1)
Step 1: Ran tso_srv_slvt.bat on app1, then I got server.keystore & cacerts with app1 information...(step1)
Step 2: Ran tso_cln_slvt.bat with HW LB FQDN as client then i got HW LB FQDN.keystore with HW LB information in it(step 1)
Step 3: Repeated by running the tso_2nd_srvs_svlt.bat <slave server machine name> batch file for my second app server
node which is in the horizontally scaled environment. Then I got trustedclients.keystore, mysmapp2.keystore
These files are copied to SM app1 & app2 ( server.keystore & cacerts, trustedclients.keystore, mysmapp2.keystore) and exported HW LB FQDN.keystore to private key & imported SSL certficates in F5 HW LB as explained in the document(step2, 3 ,4)
My sm.ini in app1 are:
and my sm.ini in app2 are:
Different error messages in sm.log states:
java.lang.IllegalArgumentException: Invalid character (CR or LF) found in method name
No SSL certificate was presented by the peer!
SOAP Failure - Message send failed - Remote host closed connection during handshakeSOAP Failure - Message send failed - Remote host closed connection during handshake
GetPreference DOS attack detected! Session will be terminated.
Logs and screenshot(SM ap2 - with port 13081 checked SSL) attached