I have setup a WebSphere Application Server on my RHEL 7 virtual machine. When I start the server, it starts fine and I can access the admin console but when I try to stop or get the status of the server using the script
sh stopServer.sh -server1 / sh serverStatus.sh server1
It gives the following message,
ADMU0509I: The Application Server "server1" cannot be reached. It appears to be stopped.
My wsadmin scripts are not working, when I run the script
sh wsadmin.sh -user wasadmin -password Password
I get the following error
WASX7023E: Error creating "SOAP" connection to host "localhost"; exception information: com.ibm.websphere.management.exception.ConnectorNotA
vailableException: [SOAPException: faultCode=SOAP-ENV:Protocol; msg=; targetException=java.net.MalformedURLException]
WASX7213I: This scripting client is not connected to a server process; please refer to the log file /opt/IBM\WebSphere/AppServer
/profiles/AppSrv01/logs/wsadmin.traceout for additional information.
I can access the console on the browser without any issue.
To expand on this more specifically. The file ssl.client.props looks like this typically around the com.ibm.ssl.protocol property:
$ grep -i tls -C 2 /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/properties/ssl.client.props
#-------------------------------------------------------------------------
com.ibm.ssl.alias=DefaultSSLSettings
com.ibm.ssl.protocol=SSL_TLS
com.ibm.ssl.securityLevel=HIGH
com.ibm.ssl.trustManager=IbmPKIX
--
#-------------------------------------------------------------------------
#com.ibm.ssl.alias=AnotherSSLSettings
#com.ibm.ssl.protocol=SSL_TLS
#com.ibm.ssl.securityLevel=HIGH
#com.ibm.ssl.trustManager=IbmX509
This property can take a number of values:
This property is the SSL handshake protocol that is used for this SSL
configuration. This property attempts Transport Layer Security (TLS)
first, but accepts any remote handshake protocol, including SSLv3 and
TLSv1. Valid values for this property include SSL_TLS, SSL, SSLv2
(client side only), SSLv3, TLS, TLSv1, SSL_TLSv2, TLSv1.1, and
TLSv1.2.
These values are described in this table:
References
ssl.client.props client configuration file
Appendix A: Protocols and Cipher Suites
For me this problem came when the security level of the WAS was not consistent.
In the IBM console, it was set to TLSv1.2 and in ssl.client.props file it was set to SSL_TLS. Once they were changed to the same value my console could connect to WAS.
Related
I am trying to run schema registry server with SSL authentication but while starting the server
./schema-registry-start ../etc/schema-registry/schema-registry.properties
I keep on getting :
[2019-11-29 15:20:13,778] ERROR Error starting the schema registry (io.confluent.kafka.schemaregistry.rest.SchemaRegistryRestApplication:67)
io.confluent.kafka.schemaregistry.exceptions.SchemaRegistryException: No listener configured with requested scheme SSL
io.confluent.kafka.schemaregistry.storage.KafkaSchemaRegistry.getSchemeAndPortForIdentity(KafkaSchemaRegistry.java:210)
But I have the listeners,broker everything configured
kafkastore.bootstrap.servers=SSL://<my-brokers>
security.protocol=SSL
ssl.truststore.location=/home/ec2-user/kafka.client.truststore.jks
ssl.keystore.location=/home/ec2-user/kafka.client.keystore.jks
ssl.keystore.password=my-pass
ssl.key.password=my-key
listeners=https://0.0.0.0:443
ssl.enabled.protocols=TLSv1.2
ssl.client.auth=fals
schema.registry.inter.instance.protocol=SSL
schema.registry.url=https://<IP>:443
You'll want to verify the listeners of the brokers
Then, security protocol itself isn't valid, plus the inter instance protocol of the registry should be https, not SSL
https://docs.confluent.io/current/schema-registry/installation/config.html
Plus, you have a typo on ssl.client.auth=false, and schema.registry.url is a client setting only, not on the server
i`m trying to connect mongodb to php application from compose to local,but get this error.
but i can remote using mongo chef
No suitable servers found (serverSelectionTryOnce set): [TLS handshake failed: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed calling ismaster
I think you have 3 options to solve this problem.
1. Disable SSL on your server
Find mongod.conf, if you're using linux, then normally it should locate at /etc/mongod.conf, use # to comment these lines under net. Finally, you need to restart mongodb for making change works.
net:
ssl:
mode: requireSSL
PEMKeyFile: ./mongodb.pem
...
2. Use the option called weak_cert_validation on your client
This is not a safety solution, but this is definitely one of the simplest one.
For example, if the mongoDB server has enable SSL but without (or did't) offering CA certificate(means self-signed certificate), then set weak_cert_validation as true in the client side, a example for C client:
mongoc_ssl_opt_t ssl_opts = {0};
ssl_opts.weak_cert_validation = true;
mongoc_client_set_ssl_opts(client, &ssl_opts);
3. Follow configure-ssl to create a certificate and get it signed for your program.
Here some provider: https://en.wikipedia.org/wiki/Certificate_authority#Providers
I've recently spun up a new Zabbix 3.0 instance on Ubuntu 16.04 using Php 7.0 and I am running into a lot of issues trying to get it to e-mail the Zabbix administrators. We are trying to use Amazon SES to send out the e-mails. For our setup, we have a usename & password that was generated by SES we are using port 587 with SSL/TLS connection. I've made sure that the alert is enabled and that the E-mail media type was enabled as well. I've also double checked the Zabbix is compiled with SMTP & TLS support. I've also verified that the Zabbix server can get to the Amazon SMTP endpoint on port 587. From the messages it seems to be some form of a communication issue, but everything I've tried isn't really getting me anywhere.
SSL connect error: Encountered end of file
26163:20170515:131115.744 * NSS error -5938 (PR_END_OF_FILE_ERROR)
26163:20170515:131115.744 * Encountered end of file
26163:20170515:131115.744 * Closing connection 0
26163:20170515:131115.744 SSL connect error: Encountered end of file
26163:20170515:131115.744 End of send_email():FAIL
26163:20170515:131115.744 End of execute_action():FAIL
26163:20170515:131115.744 error sending alert ID [812]
26163:20170515:131115.744 query without transaction detected
26163:20170515:131115.744 query [txnlev:0] [update alerts set
retries=1,error='SSL connect error: Encountered end of file' where
alertid=812]
26163:20170515:131115.746 In execute_action(): alertid [813] mediatype [0]
26163:20170515:131115.746 In send_email() smtp_server:'email-smtp.us-east-
1.amazonaws.com' smtp_port:587 smtp_security:2 smtp_authentication:1
26163:20170515:131115.750 * Trying 54.235.77.145...
26163:20170515:131115.752 * Connected to email-smtp.us-east-1.amazonaws.com
(54.235.77.145) port 587 (#0)
26163:20170515:131115.752 * WARNING: failed to load NSS PEM library
libnsspem.so. Using OpenSSL PEM certificates will not work.
26166:20170515:131115.761 __zbx_zbx_setproctitle() title:'http poller #1
[got 0 values in 0.000736 sec, getting values]'
26166:20170515:131115.761 In process_httptests()
26166:20170515:131115.761 query [txnlev:0] [select h.hostid,h.host,h.name,t.httptestid,t.name,t.variables,t.headers,t.agent,t.authentication,t.http_user,t.http_password,t.http_proxy,t.retries,t.ssl_cert_file,t.ssl_key_file,t.ssl_key_password,t.verify_peer,t.verify_host from httptest t,hosts h where t.hostid=h.hostid and t.nextcheck<=1494868275 and mod(t.httptestid,1)=0 and t.status=0 and h.proxy_hostid is null and h.status=0 and (h.maintenance_status=0 or h.maintenance_type=0)]
26166:20170515:131115.762 End of process_httptests()
26166:20170515:131115.762 query [txnlev:0] [select min(t.nextcheck) from httptest t,hosts h where t.hostid=h.hostid and mod(t.httptestid,1)=0 and t.status=0 and h.proxy_hostid is null and h.status=0 and (h.maintenance_status=0 or h.maintenance_type=0)]
26166:20170515:131115.762 No httptests to process in get_minnextcheck.
Just for reference, I do have Zabbix running off of HTTPS. To get that configured I just made a change to the Apache sites-enabled default file to point to the certificate on the local machine. They are signed certificates. I had also installed the most recent openssl package
Has anyone ran into this issue before or know of what might be happening?
Any help would be appreciated!
Thanks :)
587 is STARTTLS, use 465 for SSL/TSL (don't forget to configure security group):
You may have problems with email/email domain verification. Be sure that's OK.
I'm having a strange problem. I followed few guides from the net. My goal is to create a SMTP postfix that will use Cyrus SASL to authenticate users upon sending email with different imap server.
Making all more simple: have to transfer/replace current smtp server with new one as current is on public cloud and gets on black lists pretty often.
What I managed so far is:
Working Postfix
Authentication working when using :
testsaslauthd -u user#domain.com -p password
I'm getting Ok "Success" so I assume sasl itself work.
When I invoke saslfinger -s
I'm getting:
There is no smtpd.conf that defines what SASL should do for Postfix.
SMTP AUTH can't work!
but it seems that all is fine within the configuration files:
/etc/postfix/sasls/smtp.conf:
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
/etc/postfix/main.cf:
smtpd_recipient_restrictions = reject_invalid_hostname,
permit permit_mynetworks,
permit_sasl_authenticated
disable_vrfy_command = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
/etc/default/saslauthd-postfix:
START=yes
MECHANISMS="rimap"
MECH_OPTIONS="domain.com -r"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
I'm running postfix chroot'ed so had to create a symlink but like I said. It all seems to work independently, just need to be linked somehow.
When I try to setup account in outlook, I got wrong name or password.
The log on Debian says:
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL NTLM authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: SASL authentication failure: unable to canonify user and get auxprops
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL DIGEST-MD5 authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: warning: unknown[192.168.108.1]: SASL LOGIN authentication failed: authentication failure
May 11 23:35:43 smtp-test postfix/smtpd[741]: lost connection after AUTH from unknown[192.168.108.1]
May 11 23:35:43 smtp-test postfix/smtpd[741]: disconnect from unknown[192.168.108.1]
Strange thing is it tries NTLM(not mentioned anywhere) instead of RIMAP. And cannot make canonical name of user even after adding -r switch that should combine name and realm/domain name.
I guess that is related to first warning from saslfinger but cannot find the cause.
All updated to newest available versions.
Any help?
I am facing this error in Webmail Lite.
I have Exim installed. Here is a snippet of the auth block:
PLAIN:
driver = plaintext
server_set_id = $auth2
server_prompts = :
.ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
.endif
server_condition = “${if crypteq{$auth3}{${extract{1}{:}{${lookup{$auth2}lsearch{/etc/$domain/passwd}{$value}{*:*}}}}}{1}{0}}”
I have the passwd stored in the following format:
username:{MD5}asddfasdlasdkandlanskfdaf
How do I get AUTH enabled and working ?
Thanks in advance.
One reason for this error message is sending HELO instead of EHLO, or sending EHLO in the wrong order.
But this message can occur even if EHLO is used, when the server is running Exim.
On my server, I found the solution. In WHM > Home > Service Configuration > Exim
Configuration Manager, the option "Require clients to connect with SSL
or issue the STARTTLS command before they are allowed to authenticate
with the server" was set to the default (On). I'm not sure if I did this
or not, and it is ordinarily a great idea for security, but forces the
mailserver to enable (advertise) only the STARTTLS command, not AUTH. So
when my script sends AUTH, the error message the server sends is correct.
Further information is at http://blog.networkpresence.co/?p=8923 .
Someday when I have time I will find out how to change my script to use
TLS, so I can turn that Exim option On for security.
In my case,this error not coming regularly.some time it works but some time it gives this error.(SMTP Error: Could not authenticate.)
I debug this then I found this
SMTP -> get_lines(): $data was ""
SMTP -> get_lines(): $str is "503 AUTH command used when not advertised "
SMTP -> get_lines(): $data is "503 AUTH command used when not advertised "
SMTP -> FROM SERVER:503 AUTH command used when not advertised
SMTP -> ERROR: RSET failed: 503 AUTH command used when not advertised
SMTP Error: Could not authenticate.