Highlighted
Super Contributor.. Super Contributor..
Super Contributor..
774 views

Issue with SSL setup on F5 HW LB running on 2 applications servers

Hardware Load Balancer

Issue in configuring SSL of the Horizontal Scaling setup on Hardware Load Balancer using Self signed SSL batch files. Environment Setup is  F5 HW LB distributing the load to 2 of SM Application Servers with Port 13080

I had followed the attached document and SSL configuration is not success. Generated the server certificates(SM app server) & clients certificates(if HW LB is client) using Approach1. What should be the serverkeystore values in sm.ini of SM App servers?? The windows connection will remain as HW LB FQDN with port 13080. How the certificates generated on SM App servers with aproach1 works with HW LB FQDN??? 

Can anyone help?

Have anyone tried SSL configured usnig HW LB?

I have done the following steps in Software load balancer it worked perfect.

Software Load Balancer

Configuration of SSL is working fine with the setup on Software Load Balancer Horizontal Scaling using Self signed SSL batch files

To configure SSO & SSL on Software Load Balancer Horizontal Scaling
where primary server will be SM LB(master server) & secondary server are SM App1 , App2 etc... (slave servers)

Step 1: Creating the server certificates:
Run the batch file tso_srv_svlt.bat on primary server in command prompt

This generates cacerts, server.keystore
Copy these files to RUN folder of primary server and update sm.ini as below:
ssl:1
ssl_reqClientAuth:2
trustedsignon:1
keystoreFile:server.keystore
keystorePass:<ServerKeyPwd>
ssl_trustedClientsJKS:trustedClients.jks
ssl_trustedClientsPwd:<TrustedClientsPwd>
truststoreFile:cacerts
truststorePass:<changeit> 
sslConnector:1

Step 2: Creating the server certificates on slave servers
Run the batch file tso_2_srv_svlt.bat on primary server in command prompt
> tso_cln_svlt.bat <slave servers machine name(FQDN)>

This generates slaveserver.keystore
Copy these files to RUN folder of respective slave servers and update sm.ini as below:
ssl:1
ssl_reqClientAuth:2
trustedsignon:1
keystoreFile:slaveserver.keystore
keystorePass:<ServerKeyPwd>
ssl_trustedClientsJKS:trustedClients.jks
ssl_trustedClientsPwd:<TrustedClientsPwd>
truststoreFile:cacerts
truststorePass:<changeit> 
sslConnector:1

Repeat step 2 with different FQDN of the respective slave servers

Step 3: Creating the client certificates:
Run the batch file tso_cln_svlt.bat on primary server in command prompt:
> tso_cln_svlt.bat <client machine name(FQDN)>
> tso_cln_svlt.bat <FQDN of windows client>
> tso_cln_svlt.bat <FQDN of web client>

Repeat step 3 with different FQDN of the respective clients

Step 4: Test SSL - SM eclipse client

-Launch eclipse client
-Configure SSL information
> Windows > setup environment
>> CA cerficate file (cacerts generated in Step1)
>> Client Key store file (windowsclient.keystore generated in Step3)
>> Client Key store password
- Create new connection
server host name : xxxp.com (Primary SM Server FQDN - SM LB Hostname)
port:13080 (LB Port)

-Advanced tab > use SSL encryption

When SSL connected , the logs should shows as : SSL connection accepted

 Please share the similar steps for Hard Load Balancer, if any one has successfully achieved this earlier.

Tags (1)
0 Likes
2 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Issue with SSL setup on F5 HW LB running on 2 applications servers

I know these instructions work as I've configured this, but it was quite some time ago. However, in my test I had only one Service Manager Server RTE (I was testing for something else). Yet, I know these will work. 

What happens when you try to login? What errors are seen in the logs? You can add debughttp:1 to the sm.ini files and attempt to login. SSL errors will be written to the sm.log where the connection was routed. 

0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Re: Issue with SSL setup on F5 HW LB running on 2 applications servers

Have you tried SSL with HW LB? which approach did you use? SM acts as Server or Client?

debughttp:1 is enabled in sm.ini

I have tried using SM acts as Server and HW LB acts as client( i. e approach1)

Step 1: Ran tso_srv_slvt.bat on app1, then I got server.keystore & cacerts with app1 information...(step1)

Step 2: Ran tso_cln_slvt.bat with HW LB FQDN as client then i got HW LB FQDN.keystore with HW LB information in it(step 1)

Step 3: Repeated by running the tso_2nd_srvs_svlt.bat <slave server machine name> batch file for my second app server
node which is in the horizontally scaled environment. Then I got trustedclients.keystore,  mysmapp2.keystore

These files are copied to SM app1 & app2 ( server.keystore & cacerts, trustedclients.keystore,  mysmapp2.keystore) and  exported HW LB FQDN.keystore to private key & imported SSL certficates in F5 HW LB as explained in the document(step2, 3 ,4)

My sm.ini in app1 are:

ssl:1
ssl_reqClientAuth:2
sslConnector:1
trustedsignon:1
keystoreFile:server.keystore
*keystorePass:FGFG576723C71519B1D91F57AD8FC5A3CBE0GFGF
ssl_trustedClientsJKS:trustedclients.keystore
*ssl_trustedClientsPwd:FGFGDC880F920B19B5F85C11B5729CE08A99GFGF
truststoreFile:cacerts
*truststorePass:FGFG94756E829D12BA03B795D51498135DF4GFGF
external_lb

and my sm.ini in app2 are:

ssl:1
ssl_reqClientAuth:2
sslConnector:1
trustedsignon:1
keystoreFile:mysmapp2.keystore
*keystorePass:FGFG576723C71519B1D91F57AD8FC5A3CBE0GFGF
ssl_trustedClientsJKS:trustedclients.keystore
*ssl_trustedClientsPwd:FGFGDC880F920B19B5F85C11B5729CE08A99GFGF
truststoreFile:cacerts
*truststorePass:FGFG94756E829D12BA03B795D51498135DF4GFGF
external_lb

--------------------------

Different error messages in sm.log states:   

java.lang.IllegalArgumentException: Invalid character (CR or LF) found in method name 

No SSL certificate was presented by the peer!

SOAP Failure - Message send failed - Remote host closed connection during handshakeSOAP Failure - Message send failed - Remote host closed connection during handshake

GetPreference DOS attack detected! Session will be terminated.

 

Logs and screenshot(SM ap2 - with port 13081 checked SSL) attached

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.