Yes, Siva.
Both IHS & Tomcat keystores are added with correct CA certs.
Webserver Config:
Include "rewrites.conf"
SSLEnable
Include "cipher.conf"
Keyfile Key-File
# tomcat balancer and proxy section
ProxyRequests Off
SSLProxyEngine on
<Proxy balancer://app1>
BalancerMember https://Tomcat1:https-port/app1 route=app1_01
BalancerMember https://Tomcat2:https-port/app1 route=app1_02
</Proxy>
ProxyPassReverse /app1 balancer://app1
ProxyPass /app1 balancer://app1 stickysession=JSESSIONID|jsessionid
Tomcat SSL Connector:
<Connector port="xxxx" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
maxHttpHeaderSize="111111"
keystoreFile="keystore"
keystorePass="xxxxxx" />
We haven’t specified the list of ciphers for Tomcat and its set to TLS for ssl
protocol.
Thank you,
Vamsi Gali
-----Original Message-----
From: shivashankar manukondu [mailto:[email protected]]
Sent: Wednesday, October 11, 2017 10:02 AM
To: Tomcat Users List
Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not establish SSL
proxy connection
Hi,
Can you post the web and tomcat servers configuration files.
I hope you have added CA root certificate to the backend truststore?
Regards,
Siva
On Wed, Oct 11, 2017 at 3:05 PM, Gali, Vamsi A <
[email protected]> wrote:
> Igor,
>
> Thank you for the response!
>
> Since the request is failing at SSL handshake, Tomcat doesn’t even
> record anything not even the access log. I tried enabling debug at
> tomcat but nothing is captured during the request initiation.
>
> Thank you,
> Vamsi Gali
>
> -----Original Message-----
> From: Igor Cicimov [mailto:[email protected]]
> Sent: Wednesday, October 11, 2017 4:09 AM
> To: Tomcat Users List
> Subject: Re: FW: [error] SSL0266E: Handshake Failed, Could not
> establish SSL proxy connection
>
> On 11 Oct 2017 1:50 am, "Gali, Vamsi A"
> <[email protected]>
> wrote:
>
> Hello,
>
> Any help is appreciated on this issue.
>
> Thank you,
> Vamsi Gali
>
>
> -----Original Message-----
> From: Gali, Vamsi A
> Sent: Thursday, October 05, 2017 12:03 PM
> To: 'Tomcat Users List'
> Subject: RE: [error] SSL0266E: Handshake Failed, Could not establish
> SSL proxy connection
>
> Hello,
> I just realized that I didn’t provide the environment info & following
> are the details:
>
> Tomcat: apache-tomcat-7.0.75
> IHS: HIS v8.5.5.x
> OS: RHEL
>
> We have IHS→mod_proxy(on IHS) → Tomcat.
> I know that IHS isn’t the suggested webserver to use with Tomcat but
> it’s in use.
> [error] SSL0266E: Handshake Failed, Could not establish SSL proxy
> connection
>
> When Tomcat is accessed through webserver url, it throws ‘500’ with
> the following stack on the IHS Error log:
>
> [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2313): proxy: HTTPS:
> fam 2 socket created to connect to TOMCAT2 [Thu Oct 00 09:20:20 2017]
> [debug]
> proxy_util.c(2419): proxy: HTTPS: connection complete to
> TOMCAT-IP:PORT
> (TOMCAT2) [Thu Oct 00 09:20:20 2017] [error] SSL0266E: Handshake
> Failed, Could not establish SSL proxy connection.
> [Thu Oct 00 09:20:20 2017] [info] [client TOMCAT-IP] [7fa404014a60]
> [13789]
> SSL0240I: SSL Handshake Failed, Socket has been closed. Client sent
> fatal alert [level 2 (fatal), description 40 (handshake_failure)]
> [TOMCAT-IP:PORT
> -> IHS:PORT] [09:20:20.000967434] 0ms [Thu Oct 00 09:20:20 2017]
> -> [debug]
> [client TOMCAT-IP] [7fa404014a60] Handshake transcript:
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] <client_hello>
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] client_version
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 03
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]
> gsksslDissector_8Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 03
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] TLSV12 [Thu
> Oct 00
> 09:20:20 2017] [debug] [client TOMCAT-IP] random [Thu Oct 00
> 09:20:20 2017] [debug] [client TOMCAT-IP] gsksslDissector_32Bits
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 9xxxxxx
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]
> gsksslDissector_Opaque
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 28
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 1x 62 xx B3 1F 44
> xx 8E D2 xx x7 17 xx 59 x9 x9 .b...D...)...Y..
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] x1 91 19 08 25 xx
> DC xx E1 xx 20 xx ....%..o.9 x
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] session_id
> [Thu Oct
> 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00 [Thu Oct 00
> 09:20:20 2017] [debug] [client TOMCAT-IP] cipher_suites [Thu Oct 00
> 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 14 [Thu Oct 00
> 09:20:20 2017] [debug] [client TOMCAT-IP] 0x Fx x6 00 00 xx
> 00 xx 00 xx 00 xx 00 xx ..V..../.5....
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]
> tls_ri_scsv,tls_fallback_scsv,tls_rsa_with_rc4_128_sha,tls_
> rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha,tls_
> rsa_with_3des_ede_cbc_sha,tls_rsa_with_rc4_128_md5
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP]
> compression_methods [Thu Oct 00 09:20:20 2017] [debug] [client
> TOMCAT-IP]
> Length: 01 [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] 00
> .
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extensions
> [Thu Oct
> 00 09:20:20 2017] [debug] [client TOMCAT-IP] Length: 00
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] Extension Count: 0
> [Thu Oct 00 09:20:20 2017] [debug] [client TOMCAT-IP] end handshake
> transcript [Thu Oct 00 09:20:20 2017] [debug] proxy_util.c(2442): proxy:
> HTTPS: pre_connection setup failed (500) [Thu Oct 00 09:20:20 2017]
> [debug]
> proxy_util.c(2022): proxy: HTTPS: has released connection for TOMCAT2
> ------------------------------------------------------------
> ------------------------------------------------------------
> --------------------------
> What’s done: IHS & Tomcat keystores contain required signers for
> proper communication. During the troubleshooting, I even added IHS
> server cert as a signer into Tomcat keystore and vice-versa but cannot
> get rid of this error.
> Also, tried restricting both IHS & Tomcat to use TLSv1 but no success.
>
> Has anyone ran into similar issues? Or ever tried Tomcat with IHS
> using mod_proxy module?
>
>
> Thank you,
> Vamsi Gali
>
>
> This communication may contain privileged and/or confidential information.
> It is intended solely for the use of the addressee. If you are not the
> intended recipient, you are strictly prohibited from disclosing,
> copying, distributing or using any of this information. If you
> received this communication in error, please contact the sender
> immediately and destroy the material in its entirety, whether
> electronic or hard copy. This communication may contain nonpublic
> personal information about consumers subject to the restrictions of
> the Gramm-Leach-Bliley Act. You may not directly or indirectly reuse
> or redisclose such information for any purpose other than to provide
> the services for which you are receiving the information.
>
> 127 Public Square, Cleveland, OH 44114 If you prefer not to receive
> future e-mail offers for products or services from Key send an e-mail
> to mailto:[email protected] with 'No Promotional E-mails'
> in the
> SUBJECT line.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
> Well what does tomcat log say? You can add java debug ssl option to
> JAVA_OPTS in the default tomcat config file maybe it will give you a clue.
>
--
Regards
Siva
#068860592040