CA Service Management

Hi All

Having problems configuring the attachment servlet (SSL) where the F5 IP is an DNS entry.

https://dns.fqdn

My SSL cert houses the following name 'support.company.com'

My SDM URL via DNS is 'https://support.company.com', which looks like this 'https://support.company.com/CAisd/pdmweb.exe' when I hit the SDM logon screen, I am able to login  but not do attachments

My servlet is 'https://server.company.com:443/CAisd/UploadServlet', I changed the servlet to reflect the DNS entry 'support' to look like this 'https://support.company.com:443/CAisd/UploadServlet'

... BUT still fails, any advice

Thank you

Jacques

Jacques,

UploadServlet is hosted on SDM tomcat engine and not your web server (I am guessing you have Apache or IIS for 80/443)

TomcAt default port is 8080.

https://server.company.com:8443<https://server.company.com:443>/CAisd/UploadServletis a more appropriate one, assuming such redirection does exist for you.

_R

Hi Raghu

Yes, I agree tomcat runs in SDM and is the reason why I removed port 443 from IIS and allocated it to tomcat

Attachments with URL https://<server_name>.<company.com>/CAisd/pdmweb.exe  works and can I attach

... but when using DNS entry where URL is https://<DNS>.<company.com>/CAisd/pdmweb.exe it fails.

The business does not want to show server_name in URL on the internet.

Hence me asking what the config should look like in the server servlet for attachments. I currently have https://support.company.com:443/CAisd/UploadServlet but attachments fails.

Thank you

Jacques

A couple questions:

1. Are you seeing the problem across different browsers (does it work in IE but not Chrome?)

2. Does any specific error show up if you use the F12 console in the browser where this is seen?

Hi

F12 console shows no script errors and fails in both IE and chrome browsers

My setup is 14.1 with latest patch level, advanced availability with 2 x App servers, 1 x Standby & 1 x Background server.

I don't think it is browser related because attachments works fine when servlet upload url is https://<server>.company.com:443/CAisd/UploadServlet

Attachments fail when servlet upload url is changed to https://<DNS>.company.com:443/CAisd/UploadServlet

stdlog show nothing even when logstat is increased

Thank you

It would seem the reason is my cert only has DNS name and when  attachments want to attach to background server (which is not in the cert) it fails.

So, how to configure servlet to accommodate cert?

Hi

Setup is Advance Availability, the background server (Administration -> System -> servers) is configured as follows ...

https://<server_name>.<FQDN>:443/CAisd/UploadServlet

Some contaxt ...

I have F5 ip configured to DNS entry (https://<company.com>) that load balances my 2 x Application servers

So when logging onto SDM is my url displayed as https://company.com/CAisd/pdmweb.exe

My SSL cert only shows approved servers as https://<company.com>

So ... when doing attachment to background server which is configured as https://<server_name>.<company.com(FQDN)>:443/CAisd/UploadServlet in Administration -> System -> servers is the <server_name> per servlet NOT within the SSL cert. defined (which is why I think my attachments fails)

My thoughts at this point in time is ...

From some research I have done it would seem that tomcat somehow needs to be configured (server.xml) to indicate DNS entry of SSL cert that also points to background server and possibly in conjunction with hosts file at C:\windows\systems32\drivers\etc

Why all of this ...

Governance, Risk & Security will not allow the display of server name within SSL cert. (only https://company.com)

I actually find it strange that nobody else has had this request and setup done already.

Are you able to test changing the BG servers servlet URL to

https:/f5alias/CAisd/UploadServlet  and see if that helps

Your SDM tomcat's  nxroot/bopcfg/www/CATALINA_BASE/Conf/server.xml  it should be referencing to a keystore.  That keystore, what cert does it have ?   Server name.company or the f5 alias one ?

I think you need the latter one here

_R

Hi

Yes, I tested the following servlet setup

https:/f5alias/CAisd/UploadServlet

https:/f5alias:443/CAisd/UploadServlet

The keystore has the f5 alias cert.

Maybe I need to include the following

Testing ...

https:/server_name.fqdn:443/CAisd/UploadServlet

Testing this setup via chrome, it works ... but due to server_name of servlet (per configuration) is attachment done without SSL ... chrome indicates https is no longer valid ... but seemingly is chrome allowing this and is happy to attach.

Testing this setup via IE, it fails

My company standard browser is IE and within IE the attachments fails which leads me to kind of conclude that IE fails the attachment due to SSL cert.

Testing ...

https:/f5_alias:443/CAisd/UploadServlet

Testing this setup via chrome and IE, it fails

Question ...

How would tomcat as the back-end communicator know where and what the background server is when the servlet is configured as the f5alias?

Does tomcat as the back-end communication for SDM first look at DNS entries to know what the address is of the background server?

That is why I think additional setting / config needs to be done for tomcat as the SDM back-end communication to know where / what the background server name / ip is for when you configure servlet as f5_alias

Thank you

Jacques

Resolution ...

In this configuration (advanced Availability), F5 is being used as load balancer for 2 x Application Servers, configuring Tomcat, DNS entries and what DNS entries to put in the SSL certs to make this configuration work

F5 is configured with its own IP address which is published to the internet and is also used for internal LAN linked to DNS entry.

The SSL certs must comply to Governance, Risk & Security which only allows SSL certs to show DNS naming for servers (example: https:/support.company.com)

You need to create an additional SSL cert for configuring on all your servers, this cert needs 2 additional entries for upload servlets (background & standby servers) and these additional entries needs to be created in DNS as well.

You don't have to create an additional cert, if you want to add the upload servlet entries in your F5 cert you can and then configure that cert on your servers as well, bearing in mind that the upload servlet DNS names will be visible when the cert is being viewed on the internet.

In this example we created an additional cert as follows:

             • support.company.com

             • backgroundattach.company.com

             • standbyattach.company.com

Make sure all of these are DNS entries pointing the correct servers / IP addresses. (Etc. backgroundattach.company.com - DNS points to BackGround Server IP)

Configuring tomcat is per normal as per documentation

When configuring the attachments servlets for background and standby servers you use these DNS entries as follows

Background Server

https:/backgroundattach.company.com:443/CAisd/UploadServlet

Standby Server

https:/standbyattach.company.com:443/CAisd/UploadServlet

Tested with failover and is working