Using Fiddler to diagnose interacting with our HTCC GWS, I can request the version, but not Tenant Environment:
GET
http://htcc.unimax.local:8090/api/v2/diagnostics/version HTTP/1.1
Authorization: Basic c25hZG1pbjpVbmltYXgxNjI=
Host: htcc.unimax.local:8090
Content-Type: application/json
Content-Length: 0
HTTP/1.1 200 OK
Date: Fri, 26 Feb 2021 15:46:02 GMT
Set-Cookie: JSESSIONID=ZB8cvdJPz6yO32uDr0vMIQ1hxvnfpncfnp0w3yd3ms8klbr.ZB8cvdJPz6yO32uDr0vMIQ;Path=/;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
27
{"statusCode":0,"version":"8.5.202.27"}
0
GET
https://htcc.unimax.local:443/api/v2/platform/configuration/tenants?dbid=1 HTTP/1.1
Authorization: Basic c25hZG1pbjpVbmltYXgxNjI=
Host: htcc.unimax.local:443
Content-Type: application/json
Content-Length: 0
HTTP/1.1 502 Fiddler - Connection Failed
Date: Fri, 26 Feb 2021 16:09:03 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Cache-Control: no-cache, must-revalidate
Timestamp: 10:09:03.392
[Fiddler] The connection to 'htcc.unimax.local' failed. <br />System.Security.SecurityException Failed to negotiate HTTPS connection with server.fiddler.network.https> HTTPS handshake to htcc.unimax.local (for #1402) failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.
I have attempted to configure the keystore/certs correctly.
The logs don't indicate any issues with them.
I did see an issue using your suggestion of running gws from the command line with one of the logfile parameter that appears to be resolved.
Here are my current application.yaml settings and the output of keytool -list (note I have obfuscated the password and email).
Does this look reasonable? We still can't seem to get gws to respond to a HTTPS request. It does respond to the version request (over HTTP).
jetty:
host: 0.0.0.0
port: 8090
idleTimeout: 30000
soLingerTime: -1
sessionMaxInactiveInterval: 1800
enableWorkerName: true
enableRequestLog: true
requestLog:
filename: yyyy_mm_dd.request.log
filenameDateFormat: yyyy_MM_dd
logTimeZone: GMT
retainDays: 90
append: true
extended: true
logCookies: true
logLatency: true
preferProxiedForAddress: true
enableSsl: true
cookies:
httpOnly: true
secure: true
#sameSite: None
ssl:
port: 443
securePort: 8443
idleTimeout: 30000
soLingerTime: -1
keyStorePath: /opt/genesys/gws/ssl/gws.jks
keyStorePassword: ********
#keyManagerPassord: None
#keyStoreProvider: None
keyStoreType: JKS
#trustStorePath: None
#trustStorePassword: None
#trustStoreProvider: None
#trustStoreType: JKS
needClientAuth: false
wantClientAuth: false
#certAlias: None
validateCerts: false
trustAll: true
renegotionationAllowed: true
#excludeCiphterSuites: None
#includeCiphterSuites: None
#endpointIdentificationAlgorithm: HTTPS
#includeProtocols: None
#excludeProtocols: None
enableHsts: false
enableNonSecureToSecureRedirect: false
--------------------------------------------
keytool -list
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: gws
Creation date: Feb 2, 2021
Entry type: trustedCertEntry
Owner: EMAILADDRESS=
email@unimax.com, CN=htcc.unimax.local, OU=IT, O=Unimax, L=Minneapolis, ST=Minnesota, C=US
Issuer: EMAILADDRESS=
email@unimax.com, CN=htcc.unimax.local, OU=IT, O=Unimax, L=Minneapolis, ST=Minnesota, C=US
Serial number: c94e58de830976cb
Valid from: Tue Feb 02 21:26:02 UTC 2021 until: Fri Jan 31 21:26:02 UTC 2031
Certificate fingerprints:
MD5: 33:CE:AE:C4:5E:59:33:73:E3:74:86:48:0D:6F:99:F4
SHA1: C1:04:D1:85:96:82:56:55:BC:6E:5B:7C:C0:01:BB:E9:53:B4:A7:33
SHA256: 84:5A:30:A1:B1:43:6B:2A:81:55:98:6A:B4:5E:77:D1:EA:4E:83:26:DA:1B:28:96:F1:09:67:68:2B:1C:9E:1A
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4D CE 83 76 AA 89 B3 C5 47 CC 6C A1 3C C8 C8 9C M..v....G.l.<...
0010: DD FA 5E B7 ..^.
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4D CE 83 76 AA 89 B3 C5 47 CC 6C A1 3C C8 C8 9C M..v....G.l.<...
0010: DD FA 5E B7 ..^.
]
]
*******************************************
*******************************************
------------------------------
Ricky Chaddock
Unimax Systems
------------------------------
Original Message:
Sent: 02-25-2021 18:05
From: Jason McLennan
Subject: Configuring TLS between Web Services and Configuration Server with Minimal configuration
Have you configured your keystore/certs correctly? What are the logs showing? I can sometimes find it useful to actually run these from the command line so you can stdout as well and see a little more what is happening in real time.
------------------------------
Jason McLennan
Commonwealth Bank of Australia
Original Message:
Sent: 02-25-2021 13:09
From: Ricky Chaddock
Subject: Configuring TLS between Web Services and Configuration Server with Minimal configuration
You were correct, Jason. Thank you very much for commenting.
I've been spending some time trying to find a viable set of configuration settings that will result in gws responding to an HTTPS ReST request.
One thing I've learned is that it appears to take about 50 seconds after a restart before gws will even respond to a version request.
So far, I've not found a usable set of jetty section ssl settings when enableSsl: true.
Everything I've tried causes the gws process to die after about 50 seconds.
If I change enableSsl back to false, it stays up and responds to http requests.
I can find no combination of enableSsl: true settings that will not result in the gws process dying.
------------------------------
Ricky Chaddock
Unimax Systems
Original Message:
Sent: 02-24-2021 17:10
From: Jason McLennan
Subject: Configuring TLS between Web Services and Configuration Server with Minimal configuration
Hi Ricky,
Despite the title of your post, it seems like your actually interested in enabling HTTPS SSL/TLS for the GWS app itself, as opposed to encrypting the connection between GWS and Config Server? Apologies if I'm misreading.
If it is indeed to expose GWS outwards via HTTPS, then I believe you need to configure the values in the Jetty section as per this documentation.
------------------------------
Jason McLennan
Commonwealth Bank of Australia
Original Message:
Sent: 02-24-2021 09:03
From: Ricky Chaddock
Subject: Configuring TLS between Web Services and Configuration Server with Minimal configuration
We are using GWS version 8.5.202.27.
I can successfully interact with GWS ReST API using http on port 8090.
We need to also make requests using HTTPS.
I have attempted to follow the Genesys documentation to update /opt/genesys/gws/config/application.yaml
tlsEnabled: true
Restarting gws using command
sudo systemctl restart gws
appears to work.
But, GWS will not respond to HTTPS ReST requests.
We are not using Cassandra. We only want to use the GWS ReST API.
Are there other settings that must be reconfigured from the defaults?
#PlatformAdministration
#Security
#SystemAdministration
------------------------------
Ricky Chaddock
Unimax Systems
------------------------------