Hi team,
Thank your very much for your useful suggestions.
We have followed the steps to make the secure ports.
And we have done secure ports for message_server,Solution_Control_Server and GAX_Server.
And we tried to do the configuration manager with the auto detect port. But after we keep configuration manager has auto detect port, The gax is not opening.(It displays not able to connect to the configuration manager).
Can you please suggest how to
create auto detect port in configuration manager .And what we need to give for Port_ID and port_Number.
And in Local Control Agent application, How can we give enable for TCP/IP configuration option.
And for encrypting keystore password. We have tried the steps with the conf.bak file, The password were not get encrypted.
In
Configuration server Log,
We can able to find the following message cannot able to connect to message server error.
And one doubt regarding version of Configuration manager, We are using 8.5 version.
Whether we need enable the token method.
Looking forward your helpful suggestions.
Thanks&Regards,
Anandapriyan.R
------------------------------
Anandapriyan Ravichandran
Pointel (formerly Touch Point)
------------------------------
Original Message:
Sent: 03-20-2019 17:32
From: Jason Mclennan
Subject: GAX has run into 0 errrors. Please check gax logs
For Step 3.2, you should of course change the destkeystore, srckeystore, srcalias to the values relevant for your environment. Replace the <> components below. You should be prompted for both the source and destination passwords.
keytool -importkeystore -destkeystore <fullpath to destination keystore> –srckeystore "<name of pfx for GAX you exported>" -deststoretype JKS -srcstoretype pkcs12 -srcalias <name of alias discovered in 3.1> -destalias gax
Please make sure that the thumbprint on the GAX Application Network Security matches this above certificate you've just imported/exported and that the same cert is imported to the user that GAX is running as in the windows keystore.
For steps 5 and 6, the password to your keystore is not encrypted/obfuscated.
I found the documentation on obfustacting the password for jetty to be quite straight forward, but I've tried to restate it below:
- Rename gax.properties gax.properties.bak
- Move the webapp and plug-ins folder to a temporary location
- Start gax locally using gax_startup.bat and browse to http://localhost:8080/gax and login as root
- Go to http://localhost:8080/gax/api/system/setkeystorepassword?password={password} replacing {password} with your keystore password
- Kill the console window running gax_startup.bat
- There'll be a new gax.properties file in the conf folder. Open it and copy the keystore_password=***/SGo*********moXg\=\= line in to your gax.properties.bak
- Rename:
- gax.properties to gax.propoerties.new
- gax.properties.bak to gax.properties
- Move your webapps and plug-ins folder back if you moved them
- Start GAX
If your having issues still:
- Try starting gax interactively using gax_startup.bat so you can see the console output. Ideally do this as the user that runs GAX normally. The console output can move rather quickly, so it might be beneficial to redirect to output to a text file so you can review more easily:
- gax_startup.bat > startup_console.txt
- Check the config server logs and see what it might be complaining about
Regards,
Jason
------------------------------
Jason Mclennan
Commonwealth Bank of Australia
Original Message:
Sent: 03-19-2019 09:05
From: Anandapriyan Ravichandran
Subject: GAX has run into 0 errrors. Please check gax logs
Thanks Team,
For Very useful reply. I have tried the steps and i have some concerns regarding the following below.
When we keep configuration manager in the auto-detect port, GAX application not opening and displays message as cannot connect to configuration_manager.
- I have keep message_server and solution_Control_server and GAX_Server in secured ports.But the GAX is not get loading.
- For the step-3, Inside it for option number 2, The command is showing error. Please suggest your ideas.
- keytool -importkeystore -destkeystore trusted.keystore –srckeystore "lgcca1usr1ajava.pfx" -deststoretype JKS -srcstoretype pkcs12 -srcalias te-genesysjavacomputer-030ab801-1aea-4ab3-b822-ff10e3572dde -destalias gax
For to encrypt the password, We need to configure in jetty. So i found the jetty installation file under Genesys web engagementserver and inside server, We have jettly.ssl.xml. But i am not able to find the new configuration file. Can we give our new configuration by adding the configuration details to encrypt the keystore password.
- By default there is the encrypted keystore password in the jetty.ssl.xml file. Can we use it.
Thanks all for great help to completing this setup. Looking forward to achieve the success in setting up HTTPS in the GAX application for Windows.
Please give your valuable suggestions.
------------------------------
Anandapriyan Ravichandran
Pointel (formerly Touch Point)
Original Message:
Sent: 03-14-2019 03:42
From: Jason Mclennan
Subject: GAX has run into 0 errrors. Please check gax logs
I've recently just got through a test setup of GAX with HTTPS to users and mutual-TLS to the server applications. I did find the documentation a little confusing in parts (maybe even incorrect at certain points like referring to an autoupgrade port for SCS), so made a few notes at the time (as I was doing it in our lab only). I think this covers a lot already discussed, and I never hit your specific issue, but it may help. (also note, this was GAX 9)
If you want to skip step 2, you can add –Dgax.configserver.validate.cert=off to JAVA_OPTS, although I havent tested that, but it was in TechTutorial 117 that aired last week.
- For GAX to detect that mutual-tls is required to Config, SCS and Message Server, then the secure port defined on each of the server applications must contain ;tls-mutual=1 in the transport parameters. It'll not pick it up from just defining it on the host object.
- The trust store requires the CER for Config Servers, SCS and Message Server hosts as well as the CA Root. GAX can only use a single truststore for TLS connects to servers and HTTPS.
- keytool -import -alias <alias> -keystore <trustedkeystore file> -file "<cer to import>" e.g. keytool -import -alias labapp1b -keystore base_trusted.keystore -file lab1app1b.cer
- The trust store also requires the GAX host with private key imported as alias gax. Request a new Cert if private key export is not allowed.Export Cert with Private Key as PKCS12
- Run keytool -v -list -storetype pkcs12 -keystore <cert>.pfx to determine the alias of the cert
- Import the GAX host to the same keystore as above, saving the cert with the alias of GAX:
- keytool -importkeystore -destkeystore trusted.keystore –srckeystore "lgcca1usr1ajava.pfx" -deststoretype JKS -srcstoretype pkcs12 -srcalias te-genesysjavacomputer-030ab801-1aea-4ab3-b822-ff10e3572dde -destalias gax
- In the GAX Application configuration within framework, set the Network Security to Application and add the CER details (fingerprint) you just imported for the GAX application. It does not seem able to pick it up off the host object.
- Update [JavaArgs] in JavaServerStarter.ini on GAX host:
-Djavax.net.ssl.trustStore="<path to trust store>"
-Djavax.net.ssl.trustStorePassword=<password>
- Update the Java options for the truststore in gax_startup.bat
set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStore="<path to keystore>"
set JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=<password>
- You also need to import the local gax server certificate exported above in to the Windows Certificate Store of the user that the GAX application is running as. If this is using the local system account:
- Download pstools from Microsoft
- To import it to SYSTEM run psexec.exe –i –s mmc.exe
- Add the Certificate Snap In for the Current User (System)
- Import the previously imported gax certificate to Personal Certificates
- In .\conf\gax.properties update the following:
set port= and backupport= to the Config Server auto-upgrade port
mf_tls_mutual=true
GAX HTTPS
The GAX Host Cert can be used for HTTPS enabling GAX as well, as it has been aliased as gax
Follow the Genesys documentation to obfuscate the keystore password and the update .\conf\gax.properties with the following details
keystore_password=<obfuscate passwrd>
keystore_path=F:\\local_data\\gax\\keystore\\trusted.keystore
supported_protocol=https
------------------------------
Jason Mclennan
Commonwealth Bank of Australia
Original Message:
Sent: 03-13-2019 09:24
From: Anandapriyan Ravichandran
Subject: GAX has run into 0 errrors. Please check gax logs
Hi team,
I have found one update in the GAX log. That is i have found the password. Username as default and password is F5FC4C06A701AF65
Whether it is the encrypted password. Should we want to use, to connect to the configuration server.
Please looking forward for your Helpful suggestions.
I think when we use HTTPS connection, it is not connecting to the configuration server. Since no tenant available. Can we want to change any configuration options.
If this is the encrypted password, can we continue by using as the keystore password and continue further in the gax conf_properties file.
Please suggest your ideas.
Thanks,
Anandapriyan.R
------------------------------
Anandapriyan Ravichandran
Pointel (formerly Touch Point)
Original Message:
Sent: 03-12-2019 09:43
From: Anandapriyan Ravichandran
Subject: GAX has run into 0 errrors. Please check gax logs
Hi Team,
I have given the keystore password in the command while creating the keystore file.
And now i found one document, since not connecting the configuration manager in HTTPS.
In the Genesys administration extension deployment guide: Under Secure Communication with Configuration Server section
Starting in Genesys Administrator Extension (GAX) 8.5.25, GAX can connect to Configuration Server using a token to ensure secure communication, instead of a password, as is the case with single sign-on (SSO) deployments. This means that for connections associated with user accounts, GAX can use short-lived encrypted tokens instead of actual passwords to authenticate the connection request.
If the token is expired, the expired connection request is rejected.
If the token is not expired, and the username is valid, the request is accepted and GAX connects to the Configuration Server.
And we need to do changes in the Configuration server and gax server. Is this correct for our steps?
------------------------------
Anandapriyan Ravichandran
Pointel (formerly Touch Point)
Original Message:
Sent: 03-12-2019 07:20
From: Anandapriyan Ravichandran
Subject: GAX has run into 0 errrors. Please check gax logs
Hi Team,
Thanks for the reply. I have tried. Same errors occurs. As you say step number 4 is not working in power shell. Can you please tell how to encrypt the key store password. Now the gax and pulse application opens, But same errors occurs in the HTTPS connection.
But step number 4 not working .It throws errors
Looking forward for your suggestions.
------------------------------
Anandapriyan Ravichandran
Pointel (formerly Touch Point)
Original Message:
Sent: 03-12-2019 04:56
From: Karthik Eswaran
Subject: GAX has run into 0 errrors. Please check gax logs
Hi Anandapriyan,
Kindly follow only the steps from this specific sub section [+] Set up HTTPS for use with GAX
From the given configuration details we could notice the step 4 which helps you to encrypt the keystore password has not been performed, Passwords in plain text without encryption will not work with GAX. Please make sure keystore_password is encrypted with the given steps.
------------------------------
Karthik Eswaran
Original Message:
Sent: 03-12-2019 04:15
From: Anandapriyan Ravichandran
Subject: GAX has run into 0 errrors. Please check gax logs
Hi Team,
Thanks for your reply.
1. Yes. I will mentioned below the details of version.
GAX --> Version(8.5.2 - 8.5.260.12)
Pulse --> Version(8.5.108.02)
Configuration Manager --> 8.5.101.20
2.Yes. The GAX and Pulse application works fine without HTTPS. But in the HTTPS, GAX and Pulse application its not working. It throws error message. I will attach the screenshot of GAX and pulse application.
3. Yes. I have mentioned all the details in the GAX properties file. And i have described below.
http_port=8040
supported_protocol=https
https_port=8443
keystore_path=C:\Users\Administrator\keystore
keystore_password=password
enable_hsts=true
And i have followed the above document upto setting up HTTPS connections, And i have not done auto detect port using
Psexec command.
Now i will continue all other steps mentioned in the document.
Looking forward for your valuable suggestions.
------------------------------
Anandapriyan Ravichandran
Pointel (formerly Touch Point)
Original Message:
Sent: 03-11-2019 12:00
From: Karthik Eswaran
Subject: GAX has run into 0 errrors. Please check gax logs
Hi Anandapriyan,
Kindly share the below details and the screenshot of your exact error
1. Specific version detail of GAX and Pulse being used ?
2. Does GAX & Pulse works as usual in HTTP mode with all the features ?
3. Have you configured the keystore path, encrypted keystore_password, https_port, supported_protocol in gax.properties ?
Please do confirm if the steps from the below are followed as expected.
https://docs.genesys.com/Documentation/GA/latest/Dep/Security
[+] Set up HTTPS for use with GAX
------------------------------
Karthik Eswaran
Original Message:
Sent: 03-11-2019 09:04
From: Anandapriyan Ravichandran
Subject: GAX has run into 0 errrors. Please check gax logs
Hi Team,
Thanks for your valuable suggestions, Sure I will check now and update the information.
Thanks,
Anandapriyan.R
------------------------------
Anandapriyan Ravichandran
Pointel (formerly Touch Point)
Original Message:
Sent: 03-11-2019 08:49
From: Ivan Ullmann
Subject: GAX has run into 0 errrors. Please check gax logs
You should check in your logs to see if it is actually connecting appropriately to the configuration server. That connection should be defined in your garage file.
Is the certificate authority of your server certificate trusted by your workstation?
With pulse, it's probably looking for a connection to wherever your collector is dropping your output files. If you're running pulse 9.0+ it also has a pulse.properties file.
Original Message------
Hi Team,
1. Thanks for your reply. Yes. when we go inside the configuration tab in the gax application, the application throws the following error
(GAX has 0 Errors). And the page showing as getting loaded. But not still get loading.
(Yes, No Tenant connection(Environment) available in the HTTPS connection gax. But the Tenant connection(Environment) available in the gax without HTTPS .)
Please tell us valuable suggestions.
2. Yes after requested the certificate in the MMC. And export the certificate under user folder. Then we run the following command in the power shell.
keytool -import -alias mssql -keystore trusted.keystore -file "C:\Users\Administrator\demosrv.cer"
With the particular location of the certificate and certificate name. And it prompt us to trust the certificate.
We give us.
3. When we start all the servers and go the pulse application, It shows all values are active. But when we try to select the widget template management. It shows the following error.
Not connected to the server.
Thanks team, Looking forward your great suggestions.
------------------------------
Anandapriyan Ravichandran
Pointel (formerly Touch Point)
------------------------------