Having problems configuring the attachment servlet (SSL) where the F5 IP is an DNS entry.
My SSL cert houses the following name 'support.company.com'
My SDM URL via DNS is 'https://support.company.com', which looks like this 'https://support.company.com/CAisd/pdmweb.exe' when I hit the SDM logon screen, I am able to login but not do attachments
My servlet is 'https://server.company.com:443/CAisd/UploadServlet', I changed the servlet to reflect the DNS entry 'support' to look like this 'https://support.company.com:443/CAisd/UploadServlet'
... BUT still fails, any advice
In this configuration (advanced Availability), F5 is being used as load balancer for 2 x Application Servers, configuring Tomcat, DNS entries and what DNS entries to put in the SSL certs to make this configuration work
F5 is configured with its own IP address which is published to the internet and is also used for internal LAN linked to DNS entry.
The SSL certs must comply to Governance, Risk & Security which only allows SSL certs to show DNS naming for servers (example: https:/support.company.com)
You need to create an additional SSL cert for configuring on all your servers, this cert needs 2 additional entries for upload servlets (background & standby servers) and these additional entries needs to be created in DNS as well.
You don't have to create an additional cert, if you want to add the upload servlet entries in your F5 cert you can and then configure that cert on your servers as well, bearing in mind that the upload servlet DNS names will be visible when the cert is being viewed on the internet.
In this example we created an additional cert as follows:
Make sure all of these are DNS entries pointing the correct servers / IP addresses. (Etc. backgroundattach.company.com - DNS points to BackGround Server IP)
Configuring tomcat is per normal as per documentation
When configuring the attachments servlets for background and standby servers you use these DNS entries as follows
Tested with failover and is working
UploadServlet is hosted on SDM tomcat engine and not your web server (I am guessing you have Apache or IIS for 80/443)
TomcAt default port is 8080.
https://server.company.com:8443<https://communities.ca.com/external-link.jspa?url=https%3A%2F%2Fserver.company.com%3A443>/CAisd/UploadServletis a more appropriate one, assuming such redirection does exist for you.
Yes, I agree tomcat runs in SDM and is the reason why I removed port 443 from IIS and allocated it to tomcat
Attachments with URL https://<server_name>.<company.com>/CAisd/pdmweb.exe works and can I attach
... but when using DNS entry where URL is https://<DNS>.<company.com>/CAisd/pdmweb.exe it fails.
The business does not want to show server_name in URL on the internet.
Hence me asking what the config should look like in the server servlet for attachments. I currently have https://support.company.com:443/CAisd/UploadServlet but attachments fails.
Browser console might give some clues on this. Maybe you're getting denial because of a Cert mismatch error or because of Cross Origin filtering (CORS) not enabled properly.
Which release/patch level of SDM is this?
A couple questions:
1. Are you seeing the problem across different browsers (does it work in IE but not Chrome?)
2. Does any specific error show up if you use the F12 console in the browser where this is seen?
F12 console shows no script errors and fails in both IE and chrome browsers
My setup is 14.1 with latest patch level, advanced availability with 2 x App servers, 1 x Standby & 1 x Background server.
I don't think it is browser related because attachments works fine when servlet upload url is https://<server>.company.com:443/CAisd/UploadServlet
Attachments fail when servlet upload url is changed to https://<DNS>.company.com:443/CAisd/UploadServlet
stdlog show nothing even when logstat is increased
It would seem the reason is my cert only has DNS name and when attachments want to attach to background server (which is not in the cert) it fails.
So, how to configure servlet to accommodate cert?
Are you using Advanced Availability setup?
If so, is your Repository's Servlet Server property (look at the detail screen of the repository), is it set to Background ? That might be one way in which your request ends up against BG server.
Check that BG server's details screen (Administration -> System -> servers) and see what the Upload Servlet URL is there. Is it coded to use https://BGServer/CAisd/UploadServlet OR is it using https://FQDN/CAisd/UploadServlet ?
Setup is Advance Availability, the background server (Administration -> System -> servers) is configured as follows ...
Some contaxt ...
I have F5 ip configured to DNS entry (https://<company.com>) that load balances my 2 x Application servers
So when logging onto SDM is my url displayed as https://company.com/CAisd/pdmweb.exe
My SSL cert only shows approved servers as https://<company.com>
So ... when doing attachment to background server which is configured as https://<server_name>.<company.com(FQDN)>:443/CAisd/UploadServlet in Administration -> System -> servers is the <server_name> per servlet NOT within the SSL cert. defined (which is why I think my attachments fails)
My thoughts at this point in time is ...
From some research I have done it would seem that tomcat somehow needs to be configured (server.xml) to indicate DNS entry of SSL cert that also points to background server and possibly in conjunction with hosts file at C:\windows\systems32\drivers\etc
Why all of this ...
Governance, Risk & Security will not allow the display of server name within SSL cert. (only https://company.com)
I actually find it strange that nobody else has had this request and setup done already.
Are you able to test changing the BG servers servlet URL to
https:/f5alias/CAisd/UploadServlet and see if that helps
Your SDM tomcat's nxroot/bopcfg/www/CATALINA_BASE/Conf/server.xml it should be referencing to a keystore. That keystore, what cert does it have ? Server name.company or the f5 alias one ?
I think you need the latter one here
Yes, I tested the following servlet setup
The keystore has the f5 alias cert.
Maybe I need to include the following
Testing this setup via chrome, it works ... but due to server_name of servlet (per configuration) is attachment done without SSL ... chrome indicates https is no longer valid ... but seemingly is chrome allowing this and is happy to attach.
Testing this setup via IE, it fails
My company standard browser is IE and within IE the attachments fails which leads me to kind of conclude that IE fails the attachment due to SSL cert.
Testing this setup via chrome and IE, it fails
How would tomcat as the back-end communicator know where and what the background server is when the servlet is configured as the f5alias?
Does tomcat as the back-end communication for SDM first look at DNS entries to know what the address is of the background server?
That is why I think additional setting / config needs to be done for tomcat as the SDM back-end communication to know where / what the background server name / ip is for when you configure servlet as f5_alias
Retrieving data ...