Debugging EBS 12.2 SSL Setup

 Hi, 


Here is article related the setup of TLS on Our EBS 12.2. We have F5 load balancer, it terminates SSL. ie. User to F5 encrypted with TLS and F5 to EBS communication is non-TLS. After following the setup of context variables, all looked good except, forms login providing popups. 

"The Certificate is not valid and cannot be used to verify the identity of this website". We know that we have created new cert and associated with Load Balancer. No other clue on logs of EBS. 



We enabled tracing by setting runtime parameters.

-Djava.security.debug=all -Djavax.net.debug=all




Java Console errors.

Caused by: java.net.ConnectException: Connection refused: connect

        at java.net.DualStackPlainSocketImpl.connect0(Native Method)

        at java.net.DualStackPlainSocketImpl.socketConnect(Unknown Source)

        at java.net.AbstractPlainSocketImpl.doConnect(Unknown Source)

        at java.net.AbstractPlainSocketImpl.connectToAddress(Unknown Source)

        at java.net.AbstractPlainSocketImpl.connect(Unknown Source)

        at java.net.PlainSocketImpl.connect(Unknown Source)

        at java.net.SocksSocketImpl.connect(Unknown Source)

        at java.net.Socket.connect(Unknown Source)

        at java.net.Socket.connect(Unknown Source)

        at java.net.Socket.<init>(Unknown Source)

        at java.net.Socket.<init>(Unknown Source)

        at com.sun.jndi.ldap.Connection.createSocket(Unknown Source)

        ... 74 more

certpath: Can't create URICertStore: unable to create InitialDirContext using supplied parameters

certpath: Trying to fetch CRL from DP http://pki.example.com/pki/DEV%20Staff%20Issuing%20CA.crl

certpath: CertStore URI:http://pki.example.com/pki/DEV%20Staff%20Issuing%20CA.crl

certpath: Downloading new CRL...

certpath: X509CRLSelector.match: update out-of-range

certpath: Returning 0 CRLs

Allow unsafe renegotiation: false

Allow legacy hello messages: true



On the Java Console, I have collected the logs and reviewed. it is definitely to do something with CRLs. I have contacted Security team. It took a while to figure out the cause. Finally it was expired CRL (Certificate Revocation List) file for Dev Staff Issuing CA causing the problem. The updated CRL has been published to the pki.example.com web server and CRL validations with the full chain are working now.


Hooray!!! Happy Debugging!!

Posted by Suresh Lakshmanan at 9:19 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)