AnsweredAssumed Answered

CA Directory : Issue in enabling replication over SSL

Question asked by Hubert Dennis Employee on Oct 31, 2014
Latest reply on Aug 16, 2017 by Hubert Dennis

Hello All

 

Any clues why replication is failing over SSL. I have 3 DataDSAs i.e.

 

 

kstore

kstore2

kstore3

 

 

I added an entry in “kstore” and it tries to replicate to other two. Whilst doing so reports these messages in the WARNING log file.

 

[0] 20141031.100732.635 WARN : max-local-ops has no effect

[0] 20141031.100732.639 WARN : Loading cache

[0] 20141031.100732.653 WARN : Datastore was created at: 20141027193625Z

[0] 20141031.100732.653 WARN : Datastore was created for: kstore

[0] 20141031.100732.680 WARN : Cache loaded, 9296 entries

[0] 20141031.100732.800 WARN : Memory used by cache: 5094970 + 7975679

[0] 20141031.100732.800 WARN : Found new MW DSA: kstore2

[0] 20141031.100732.800 WARN : Found new MW DSA: kstore3

[5] 20141031.101404.461 WARN : Verify error 20: unable to get local issuer certificate

[5] 20141031.101404.461 WARN : SSL Error

[5] 20141031.101404.461 WARN : 5:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:979:

 

 

[5] 20141031.101404.461 WARN : ssld_ssl_request failed

[5] 20141031.101404.461 WARN : Remote DSA 'kstore2' aborted

[5] 20141031.101404.461 WARN : Marking DSA 'kstore2' as down

[8] 20141031.101404.466 WARN : Verify error 20: unable to get local issuer certificate

[8] 20141031.101404.466 WARN : SSL Error

[8] 20141031.101404.466 WARN : 8:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:979:

 

 

[8] 20141031.101404.466 WARN : ssld_ssl_request failed

[8] 20141031.101404.466 WARN : Remote DSA 'kstore3' aborted

[8] 20141031.101404.466 WARN : Marking DSA 'kstore3' as down

 

 

In kstore2 I see the following

 

[7] 20141031.113949.755 WARN : TLS/SSL handshake failed for call from 138.42.177.173:46823

[4] 20141031.114050.852 WARN : TLS/SSL handshake failed for call from 138.42.177.173:46825

[1] 20141031.114151.951 WARN : TLS/SSL handshake failed for call from 138.42.177.173:48584

[9] 20141031.114252.047 WARN : TLS/SSL handshake failed for call from 138.42.177.173:48586

[3] 20141031.114353.149 WARN : TLS/SSL handshake failed for call from 138.42.177.173:48588

[5] 20141031.114454.247 WARN : TLS/SSL handshake failed for call from 138.42.177.173:48590

[4] 20141031.114555.340 WARN : TLS/SSL handshake failed for call from 138.42.177.173:48592

[1] 20141031.114656.439 WARN : TLS/SSL handshake failed for call from 138.42.177.173:49630

[9] 20141031.114757.537 WARN : TLS/SSL handshake failed for call from 138.42.177.173:49632

[2] 20141031.114858.637 WARN : TLS/SSL handshake failed for call from 138.42.177.173:49634

 

 

 

NOTE : I did get a feedback from a peer suggesting I should have done it the other way round i.e. first get replication working and then enable SSL. However since I invested time and energy to get all the 3 DataDSAs on enabling SSL, I would like to continue ahead on the same path and see if it could be resolved. Also I would like to state that I am using my own openssl CA to sign the server certificates. SSL connections to individual dataDSA using Jxexplorer is working fine. SSL Connections from Policy Server / SmConsole is also working fine.

 

 

I probably think I am missing a step for interworking of remote dataDSA over SSL, however if someone could suggest if these ideas are correct OR the steps forward, it would be helpful.

 

 

A. Currently I have in ssld folder in each server, the respective certificates only.Do I need to add the other server/dataDSA server certificates too. If so where should I add it? in trusted.pem OR elsewhere?

 

B. Anything else?

 

 

Regards

 

Hubert

Outcomes