Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

URI setup DNS and proxies

Setting up JTS/RM/CCM/QM server 4.0.3 on RH 6.4 and would like some clarification on URI definition when running setup. The plan is to have all traffic routed through a proxy on a separate box. I've gone over the install docs, and articles on planning URI, DNS and reverse proxies in topology but either I'm misinterpreting them or it not working as expected.

 

Assume server hostname = jweb, proxy = rpoxy   The end goal is to have a url of https://jazznc.dev .......

In my attempts at this I registered in DNS jazznc to the jweb IP and ran jts setup spec'ing  https://jazznc.dev as the URI. This took, completed the setup and i was able to log into the various apps using  https://jazznc.....

 

With the proxy up (using the default RH squid) I was able to log in via http://rproxy..... but I want used to use http://jazznc...    In DNS I flip jazznc from jweb to the proxy IP and wait until nslookup/ping resolves the IP's properly.

 

At this point I can log into any app and JTS eventually dies. Looking at the log files  I see various errors but basically they are all the same stating:

2013-06-17 17:11:32,306 [ccm: AsynchronousTaskRunner-1 @@ 17:11] ERROR com.ibm.team.repository      - CRJAZ2388E Error encountered when synchronizing user data between servers in the background.  The

synchronizer will silently continue to attempt to synchronize the data.

CRJAZ1166I The stack trace hash is E58E0521DA621533DFA0BF6D1FE2C012032B5AAA.

com.ibm.team.repository.common.TeamRepositoryException: peer not authenticated….

Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated …..

 

And I can't log into anything.  Setting DNS back to the original settings and a JTS restart fails to come up.

 

Am I setting this up wrong?

Does the URI need to be https://jweb..... (the server name) and I DNS register jazznc to the proxy IP for this to work.

0 votes



2 answers

Permanent link
Hi Norman,

First some background:
When a request comes into the proxy server over https,
1. The proxy establishes a connection to the server  hosting RTC over https
1a. This makes the proxy the client
1b.. For this connection to complete, the proxy will need to have the signerCert from the server so the ssl connection will succeed
2. Once this connection completes, RTC needs to connect to the jts server to validate the user
2a. Now RTC becomes the client connecting to the proxy
2b. For the connection from RTC to the proxy to complete, the server hosting RTC needs to have the signerCert from the proxy

..and now for the question: have all the certs been copied to the proxy and the server hosting RTC?






0 votes

Comments

I created a cert on the proxy and put it into the /etc/squid dir where it is called by squid.conf.

From what your saying (1b) I need to generate a cert on the jazz server and put in on the proxy .

For 2b RTC where does the cert from the proxy go on the jazz server?

The server is also hosting RM (doors next gen) , qm and rrdi. Are these also not affected requireing the cert from the proxy and where would I put it or is there a common location for all the apps?

You have to excuse my ignorance as this area is all new to me.


Permanent link
Hi Norman,

I can speack to JTS/CCM/QM/Rm...however i suspect the other apps act in the same manner.

The application server that is hosting the CLM applications manages the SSL connection.  So depending on which application server that is being used will dictate where the keys are located.  IF we are dealing with Tomcat, I think the following tech note should help get started
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
http://www-01.ibm.com/support/docview.wss?uid=swg21442170

0 votes

Comments

Here is one more technote which may be a bit more strait forward
http://www-01.ibm.com/support/docview.wss?uid=swg21508904

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,495
× 6,121
× 2,357
× 27
× 3

Question asked: Jun 19 '13, 8:21 a.m.

Question was seen: 5,172 times

Last updated: Jun 19 '13, 1:29 p.m.

Confirmation Cancel Confirm