URI setup DNS and proxies
Setting up JTS/RM/CCM/QM server 4.0.3 on RH 6.4 and would like some clarification on URI definition when running setup. The plan is to have all traffic routed through a proxy on a separate box. I've gone over the install docs, and articles on planning URI, DNS and reverse proxies in topology but either I'm misinterpreting them or it not working as expected.
Assume server hostname = jweb, proxy = rpoxy The end goal is to have a url of https://jazznc.dev .......
In my attempts at this I registered in DNS jazznc to the jweb IP and ran jts setup spec'ing https://jazznc.dev as the URI. This took, completed the setup and i was able to log into the various apps using https://jazznc.....
With the proxy up (using the default RH squid) I was able to log in via http://rproxy..... but I want used to use http://jazznc... In DNS I flip jazznc from jweb to the proxy IP and wait until nslookup/ping resolves the IP's properly.
At this point I can log into any app and JTS eventually dies. Looking at the log files I see various errors but basically they are all the same stating:
2013-06-17 17:11:32,306 [ccm: AsynchronousTaskRunner-1 @@ 17:11] ERROR com.ibm.team.repository - CRJAZ2388E Error encountered when synchronizing user data between servers in the background. The
synchronizer will silently continue to attempt to synchronize the data.
CRJAZ1166I The stack trace hash is E58E0521DA621533DFA0BF6D1FE2C012032B5AAA.
com.ibm.team.repository.common.TeamRepositoryException: peer not authenticated….
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated …..
And I can't log into anything. Setting DNS back to the original settings and a JTS restart fails to come up.
Am I setting this up wrong?
Does the URI need to be https://jweb..... (the server name) and I DNS register jazznc to the proxy IP for this to work.
2 answers
First some background:
When a request comes into the proxy server over https,
1. The proxy establishes a connection to the server hosting RTC over https
1a. This makes the proxy the client
1b.. For this connection to complete, the proxy will need to have the signerCert from the server so the ssl connection will succeed
2. Once this connection completes, RTC needs to connect to the jts server to validate the user
2a. Now RTC becomes the client connecting to the proxy
2b. For the connection from RTC to the proxy to complete, the server hosting RTC needs to have the signerCert from the proxy
..and now for the question: have all the certs been copied to the proxy and the server hosting RTC?
Comments
I created a cert on the proxy and put it into the /etc/squid dir where it is called by squid.conf.
From what your saying (1b) I need to generate a cert on the jazz server and put in on the proxy .
For 2b RTC where does the cert from the proxy go on the jazz server?
The server is also hosting RM (doors next gen) , qm and rrdi. Are these also not affected requireing the cert from the proxy and where would I put it or is there a common location for all the apps?
You have to excuse my ignorance as this area is all new to me.
I can speack to JTS/CCM/QM/Rm...however i suspect the other apps act in the same manner.
The application server that is hosting the CLM applications manages the SSL connection. So depending on which application server that is being used will dictate where the keys are located. IF we are dealing with Tomcat, I think the following tech note should help get started
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
http://www-01.ibm.com/support/docview.wss?uid=swg21442170
Comments
Here is one more technote which may be a bit more strait forward
http://www-01.ibm.com/support/docview.wss?uid=swg21508904