SUSE Manager/Proxy to internet

From MicroFocusInternationalWiki
Revision as of 17:25, 28 April 2015 by Mbrookhuis (Talk | contribs) (Created page with "= Using a proxy with certificates to internet = Some proxies need certificates to access the internet. Often these certificates are created on the companies own CA. This will...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Using a proxy with certificates to internet

Some proxies need certificates to access the internet. Often these certificates are created on the companies own CA. This will cause problems when SUSE Manager wants to access *.suse.com or *.novell.com. To solve this issue use the following procedure: - copy the root and, if needed, intermediate CA certificates to /tmp - copy the files to /etc/ssl/certs and change extension to .pem

 # cp /tmp/<filename_of_root_CA>.cer /etc/ssl/certs/<filename_of_root_CA>.pem
 # cp /tmp/<filename_of_intermediate_CA>.cer  /etc/ssl/certs/<filename_of_intermediate_CA>.pem

- update the information for the SSL certs:

 # c_rehash /etc/ssl/certs

- Import the certificates in the java keystore:

 # keytool -import -alias root -file /tmp/<filename_of_root_CA>.cer -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
 # keytool -import -alias intermediate -file /var/tmp/<filename_of_intermediate_CA>.cer -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit

- the last step is to restart spacewalk:

 # spacewalk-service restart

- to check if everything works run the following command and the results should be seen:

 # mgr-sync refresh
 # wget http://updates.suse.com   (there should be a 404 error)


When there are problems with the certificates as described above, the following error messages could be seen:

- /var/log/tomcat6/catalina.out

2015-04-28 09:31:00,886 [TP-Processor6] INFO org.directwebremoting.log.accessLog - Method execution failed: com.redhat.rhn.frontend.action.satellite.SCCConfigAction$SCCConfigException: com.suse.scc.client.SCCClientException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

or

2015-01-08 17:07:20,240 [TP-Processor6] ERROR com.redhat.rhn.manager.setup.SCCMirrorCredentialsManager - Error getting subscriptions for 6419084, javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed:

- wget will show the following:

wget http://updates.suse.com --2015-04-28 11:12:23-- http://updates.suse.com/ Resolving xxxxxxxxxxxxxx... yyy.yyy.yyy.yyy Connecting to XXXXXXXXXXXXXX|yyy.yyy.yyy.yyy|:8080... connected. Proxy request sent, awaiting response... 301 Moved Permanently Location: https://updates.suse.com// [following] --2015-04-28 11:12:23-- https://updates.suse.com// Connecting to XXXXXXXXXXXXXX|yyy.yyy.yyy.yyy|:8080... connected. ERROR: cannot verify updates.suse.com's certificate, issued by `/C=XX/O=XXXXXX/CN=XXXXXXXXXXXXXXX': Unable to locally verify the issuer's authority. To connect to updates.suse.com insecurely, use `--no-check-certificate'. Unable to establish SSL connection.