Troubleshooting SSL

From cosign wiki

If it appears your cosign-protected web server cannot connect to the weblogin server, try these things to find the cause:

Contents 1 Verify the specifed paths are correct 2 Verify port 6663 is open 3 Make sure you have the CA file for the weblogin server 4 Make sure certificates are not expired 5 Make sure the private key and certificate are a match 6 Attempt to create a secure connection manually

[edit] Verify the specifed paths are correct

An incorrect path or misspelling of the ChainFilePath, PrivateKeyFilePath, or CAFilePath will prevent the filter from creating a secure connection with the weblogin server.

[edit] Verify port 6663 is open

From a command prompt:

telnet weblogin.server.name 6663

You should see a banner and can issue some basic commands:

220 2 Collaborative Web Single Sign-On
noop
250 cosign vINTERNAL
quit
221 Service closing transmission channel

Connection to host lost.

If you get a "connect failed", it could be for a number of reasons, but most likely a firewall is blocking outbound connections from your web server to port 6663.

[edit] Make sure you have the CA file for the weblogin server

Not only does the weblogin server verify the identity of the filter, but the filter needs to verify the identity of the weblogin server. Download the latest CA file for your weblogin server, and rehash it. Make sure the filter is configured to point to the *directory* containing the hash.

[edit] Make sure certificates are not expired

From a command prompt:

cd C:\Program Files\IISCosign
openssl x509 -dates SSL\\server.cert

The output will be something like:

notBefore=Nov  6 20:44:44 2007 GMT
notAfter=Nov  3 20:44:44 2017 GMT

If the current date is after the notAfter date, you will need to generate a new CSR for your cert.

Also check the expiration date for the weblogin server's CA certificate:

openssl x509 -dates SSL\\webloginCA.pem

If the notAfter date has passed, you will need to download an updated version of this file.

[edit] Make sure the private key and certificate are a match

From a command prompt:

openssl rsa -in "C:\\Program Files\\IISCosign\\SSL\\server.key" -noout

The -noout prevents openssl from displaying your private key. If this is successful, the output is a blank line.

[edit] Attempt to create a secure connection manually

From a command prompt:

cd C:\Program Files\IISCosign
openssl s_client -connect weblogin.server:6663 -cert “C:\\Program Files\\IISCosign\\SSL\\certname.crt” -key “C:\\Program Files\\IISCosign\\SSL\\certname.key” -CApath “C:\\Program Files\\IISCosign\\SSL” -showcerts -state -debug -crlf -starttls smtp

If things go well, you'll be able to issue commands such as:

CHECk cosign-servicename=abc123

If things don't go well, you will receive some sort of error message indicating why a secure connection could not be established. NOTE: you should also try "runas" or "sudo" as the IIS_WAM or www account before doing this.