Troubleshooting SSL

From cosign wiki

Revision as of 14:13, 30 April 2009 by Jarod (Talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search

If it appears your cosign-protected web server cannot connect to the weblogin server, try these things to find the cause:

Contents

Verify the specifed paths are correct

An incorrect path or misspelling of the ChainFilePath, PrivateKeyFilePath, or CAFilePath will prevent the filter from creating a secure connection with the weblogin server.

Verify port 6663 is open

From a command prompt:

telnet weblogin.server.name 6663

You should see a banner and can issue some basic commands:

220 2 Collaborative Web Single Sign-On
noop
250 cosign vINTERNAL
quit
221 Service closing transmission channel

Connection to host lost.

If you get a "connect failed", it could be for a number of reasons, but most likely a firewall is blocking outbound connections from your web server to port 6663.

Make sure you have the CA file for the weblogin server

Not only does the weblogin server verify the identity of the filter, but the filter needs to verify the identity of the weblogin server. Download the latest CA file for your weblogin server, and rehash it. Make sure the filter is configured to point to the *directory* containing the hash.

Make sure certificates are not expired

From a command prompt:

cd C:\Program Files\IISCosign
openssl x509 -dates SSL\\server.cert
<pre>

The output will be something like:
<pre>
notBefore=Nov  6 20:44:44 2007 GMT
notAfter=Nov  3 20:44:44 2017 GMT

If the current date is after the notAfter date, you will need to generate a new CSR for your cert.

Also check the expiration date for the weblogin server's CA certificate:

openssl x509 -dates SSL\\webloginCA.pem

If the notAfter date has passed, you will need to download an updated version of this file.

Personal tools