URI setup DNS and proxies
Norman Dignard (356●6●96●177)
| asked Jun 19 '13, 8:21 a.m.
edited Jun 19 '13, 8:54 a.m. by Paul Slauenwhite (8.4k●1●2)
Setting up JTS/RM/CCM/QM server 4.0.3 on RH 6.4 and would like some clarification on URI definition when running setup. The plan is to have all traffic routed through a proxy on a separate box. I've gone over the install docs, and articles on planning URI, DNS and reverse proxies in topology but either I'm misinterpreting them or it not working as expected.
Assume server hostname = jweb, proxy = rpoxy The end goal is to have a url of https://jazznc.dev .......
In my attempts at this I registered in DNS jazznc to the jweb IP and ran jts setup spec'ing https://jazznc.dev as the URI. This took, completed the setup and i was able to log into the various apps using https://jazznc.....
With the proxy up (using the default RH squid) I was able to log in via http://rproxy..... but I want used to use http://jazznc... In DNS I flip jazznc from jweb to the proxy IP and wait until nslookup/ping resolves the IP's properly.
At this point I can log into any app and JTS eventually dies. Looking at the log files I see various errors but basically they are all the same stating:
2013-06-17 17:11:32,306 [ccm: AsynchronousTaskRunner-1 @@ 17:11] ERROR com.ibm.team.repository - CRJAZ2388E Error encountered when synchronizing user data between servers in the background. The
synchronizer will silently continue to attempt to synchronize the data.
CRJAZ1166I The stack trace hash is E58E0521DA621533DFA0BF6D1FE2C012032B5AAA.
com.ibm.team.repository.common.TeamRepositoryException: peer not authenticated….
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated …..
And I can't log into anything. Setting DNS back to the original settings and a JTS restart fails to come up.
Am I setting this up wrong?
Does the URI need to be https://jweb..... (the server name) and I DNS register jazznc to the proxy IP for this to work.
|
2 answers
Hi Norman,
First some background: When a request comes into the proxy server over https, 1. The proxy establishes a connection to the server hosting RTC over https 1a. This makes the proxy the client 1b.. For this connection to complete, the proxy will need to have the signerCert from the server so the ssl connection will succeed 2. Once this connection completes, RTC needs to connect to the jts server to validate the user 2a. Now RTC becomes the client connecting to the proxy 2b. For the connection from RTC to the proxy to complete, the server hosting RTC needs to have the signerCert from the proxy ..and now for the question: have all the certs been copied to the proxy and the server hosting RTC? Comments
Norman Dignard
commented Jun 19 '13, 9:30 a.m.
I created a cert on the proxy and put it into the /etc/squid dir where it is called by squid.conf. From what your saying (1b) I need to generate a cert on the jazz server and put in on the proxy . For 2b RTC where does the cert from the proxy go on the jazz server? The server is also hosting RM (doors next gen) , qm and rrdi. Are these also not affected requireing the cert from the proxy and where would I put it or is there a common location for all the apps? You have to excuse my ignorance as this area is all new to me. |
Hi Norman,
I can speack to JTS/CCM/QM/Rm...however i suspect the other apps act in the same manner. The application server that is hosting the CLM applications manages the SSL connection. So depending on which application server that is being used will dictate where the keys are located. IF we are dealing with Tomcat, I think the following tech note should help get started http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html http://www-01.ibm.com/support/docview.wss?uid=swg21442170 Comments
Abraham Sweiss
commented Jun 19 '13, 1:29 p.m.
Here is one more technote which may be a bit more strait forward
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.