SUSE Manager/Proxy to internet

From MicroFocusInternationalWiki
Jump to: navigation, search

Using a proxy with certificates to internet

Some proxies need certificates to access the internet. Often these certificates are created on the own CA of the company. This will cause problems when SUSE Manager wants to access *.suse.com or *.novell.com. To solve this issue use the following procedure:

  • copy the root and, if needed, intermediate CA certificates to /tmp
  • copy the files to /etc/ssl/certs and change extension to .pem
 # cp /tmp/<filename_of_root_CA>.cer /etc/ssl/certs/<filename_of_root_CA>.pem
 # cp /tmp/<filename_of_intermediate_CA>.cer  /etc/ssl/certs/<filename_of_intermediate_CA>.pem
  • update the information for the SSL certs:
 # c_rehash /etc/ssl/certs
  • Import the certificates in the java keystore:
 # keytool -import -alias root -file /tmp/<filename_of_root_CA>.cer -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
 # keytool -import -alias intermediate -file /var/tmp/<filename_of_intermediate_CA>.cer -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
  • the last step is to restart spacewalk:
 # spacewalk-service restart
  • to check if everything works run the following command and the results should be seen:
 # mgr-sync refresh
 # wget http://updates.suse.com   (there should be a 404 error)


When there are problems with the certificates as described above, the following error messages could be seen:

  • /var/log/tomcat6/catalina.out
2015-04-28 09:31:00,886 [TP-Processor6] INFO  org.directwebremoting.log.accessLog - Method execution failed:
com.redhat.rhn.frontend.action.satellite.SCCConfigAction$SCCConfigException: com.suse.scc.client.SCCClientException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

or

2015-01-08 17:07:20,240 [TP-Processor6] ERROR com.redhat.rhn.manager.setup.SCCMirrorCredentialsManager - Error getting subscriptions for 6419084, javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: 
  • wget will show the following:
wget http://updates.suse.com
 --2015-04-28 11:12:23--  http://updates.suse.com/
 Resolving xxxxxxxxxxxxxx... yyy.yyy.yyy.yyy
 Connecting to XXXXXXXXXXXXXX|yyy.yyy.yyy.yyy|:8080... connected.
 Proxy request sent, awaiting response... 301 Moved Permanently
 Location: https://updates.suse.com// [following]
 --2015-04-28 11:12:23--  https://updates.suse.com//
 Connecting to XXXXXXXXXXXXXX|yyy.yyy.yyy.yyy|:8080... connected.
 ERROR: cannot verify updates.suse.com's certificate, issued by `/C=XX/O=XXXXXX/CN=XXXXXXXXXXXXXXX':
 Unable to locally verify the issuer's authority.
 To connect to updates.suse.com insecurely, use `--no-check-certificate'.
 Unable to establish SSL connection.