出於安全要求,他們在tier 2和tier 3啟用了TLS,詳情參考IBM文檔。結果是,在tier 3壹切順利,訪問網頁沒有問題;但是在tier 2卻遇到了問題,報錯如下。
"Failed to retrieve the Spark applications. Connection refused. Ensure that either the required IBM Spectrum Conductor services are running (ascd and REST) or SSL is configured properly."
因為只有tier 2才有問題而tier 3沒問題問題,而且tier 2和tier 3的certificate都放在相同的keystore裏,所以我們有理由懷疑可能tier 3的certificate配置出錯了。當然,腦子裏先要有關於certificate的相關知識,不然可能也不會懷疑到這。SSL certificate相關知識可以參考我的這篇"壹文讀懂HTTP, HTTPS, SSL和TLS"講解。
於是,我們可以通過下面的步驟來測試certificate的配置。
openssl s_client -CAfile /path/to/target/keystore/file?-connect target_FQDN:target_port
針對tier 3上,測試得到的結果如下,連接狀態是CONNECTED,certificate chain和certificate都可以返回來,沒問題。$openssl s_client -CAfile /opt/sym/certificates/truststore.pem -connect bens3-a1.svr.us.jpm.net:8643
CONNECTED(00000003)
depth=2 DC = NET, DC = JPMCHASE, DC = EXCHAD, CN = JPMCROOTCA
verify return:1
depth=1 DC = net, DC = jpmchase, DC = exchad, CN = PSIN0P551
verify return:1
depth=0 C = US, ST = NJ, L = Jersey City, O = JPMorg, OU = Compute Backbone, CN = bens3-a1.svr.us.jpm.net
verify return:1
---
Certificate chain
0 s:/C=US/ST=NJ/L=Jersey City/O=JPMorg /OU=Compute Backbone/CN=bens3-a1.svr.us.jpm.net
i:/DC=net/DC=jpmchase/DC=exchad/CN=PSIN0P551
1 s:/DC=net/DC=jpmchase/DC=exchad/CN=PSIN0P551
i:/DC=NET/DC=JPMCHASE/DC=EXCHAD/CN=JPMCROOTCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHszCCBZugAwIBAgITRQAC1Y89tfV7k9/q/gABAALVjzANBgkqhkiG9w0BAQsF
ADBbMRMwEQYKCZImiZPyLGQBGRYDbmV0MRgwFgYKCZImiZPyLGQBGRYIanBtY2hh
c2UxFjAUBgoJkiaJk/IsZAEZFgZleGNoYWQxEjAQBgNVBAMTCVBTSU4wUDU1MTAe
Fw0xOTEwMDIxMjU0MDZaFw0yMTEwMDExMjU0MDZaMIGNMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCTkoxFDASBgNVBAcTC0plcnNleSBDaXR5MRcwFQYDVQQKEw5KUE1v
cmdhbiBDaGFzZTEZMBcGA1UECxMQQ29tcHV0ZSBCYWNrYm9uZTEnMCUGA1UEAxMe
Y2JiZW5zMy1hMS5zdnIudXMuanBtY2hhc2UubmV0MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAo/khQh8MHdTkTuKa7eO7Qigx9UuqRlZ+lMQImtZxhiEQ
g9vpEhZk193G9IRuV8lVHbV6fMe6WYCuSGP0V+ZF1OVe5XtmFnWNNW5FS8WyApk3
hcSeWeeI6QDArMutidpya30a21UUv+ZxoOdnEDwAvMjoWBS6caJPiRnKQ77TXl+J
HHVv2Q6SDCSQiwuLxRZzD+c637bJXvvw0Tt1YKwcijp0DBwGmZotdvONulEJNvtM
J7Pn8bhgWoVC7UkM1TY6M4xikJgFHh+AlT0+Z+tYfGMbu7aPUBjO61f2Qq9KSouT
n6di8ule0c9hntat+JS1bDHz9Czd0IcmIfNpGeS8cwIDAQABo4IDOzCCAzcwKQYD
VR0RBCIwIIIeY2JiZW5zMy1hMS5zdnIudXMuanBtY2hhc2UubmV0MB0GA1UdDgQW
BBTi/DxO6VfcEMq8ZqpNiDDpPeaQ7jAfBgNVHSMEGDAWgBQy3mGo4/el4t5HICuq
......
cyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPWV4Y2hhZCxEQz1qcG1j
aGFzZSxEQz1uZXQ/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVj
dENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIIBLgYIKwYBBQUHAQEEggEgMIIB
HDA5BggrBgEFBQcwAoYtaHR0cDovL2FkY3MuanBtY2hhc2UubmV0L2NybC9QU0lO
MFA1NTEoMSkuY3J0MCkGCCsGAQUFBzABhh1odHRwOi8vYWRjcy5qcG1jaGFzZS5u
ZXQvb2NzcDCBswYIKwYBBQUHMAKGgaZsZGFwOi8vL0NOPVBTSU4wUDU1MSxDTj1B
SUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29u
ZmlndXJhdGlvbixEQz1leGNoYWQsREM9anBtY2hhc2UsREM9bmV0P2NBQ2VydGlm
aWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MA4G
A1UdDwEB/wQEAwIFoDA8BgkrBgEEAYI3FQcELzAtBiUrBgEEAYI3FQiBg5o1g/PQ
QIKBkwyC3ZYCk506RIOUsA+Etq87AgFkAgEKMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAnBgkrBgEEAYI3FQoEGjAYMAoGCCsGAQUFBwMBMAoGCCsGAQUF
BwMCMA0GCSqGSIb3DQEBCwUAA4ICAQASNIP+nc1/TAYpIzY45C+c69pFlv0QupDq
ovOs9uPz/4oiGfwLaXmVVYmmUZIdlH8QaR4v/AYGkbYnej9BAHX7/NynevTT908v
VjFMb0GNkGC+KgCOaEeLv5fR9/x2xoVFOyztjysHnDjvi1A5VcyTqRiZynwOzrMZ
jtLS/jtI/65K7yDTYQDLATuUWmi3xcl0QyV11bxgDeU6ggOu1w/SyiFPPng9mWEA
UfE8yIWiXTrEZlKo00tV8L5x6vizq4sBQTxbuOuDJbqTCJKkZUv+GQuvWuwcPcFi
xRZboWVOaZ6v9i3HOv1Yd7mCjkT67rC2lzqPgxpZAD2ew9/LTmtTQYRc7iWUUBPb
9PRIIuf8sLp/9Lt06loVGe5saFvxG/ooGSfe2JwLvQUIg9HKhZNFaIvLdu6V/dXq
DLzYdEfhF7KuM2TzwIRETSahMadk6+z17OUlzu87aWPVBr7YRmBtupBC1J1QaFH6
tbmh5+56gAmSSvNt5l6yVGgZB0ooklTJYwkc9lH7NYzunzksaXPbVvjJEDUl+e6w
z2XIripgZRZfnOiGHrNPjuPuUGP2gPFfm7NViGUoOY11GzTzU2l2xFzSMlngvIwR
sq1waInp1NDkr0ue08l27NnwBurqmiXfP9KQsu7gpaj8RAXiq8afQpReCHV9Ra3X
Oj+YAovtzA==
-----END CERTIFICATE-----
subject=/C=US/ST=NJ/L=Jersey City/O=JPMorg/OU=Compute Backbone/CN=bens3-a1.svr.us.jpm.net
issuer=/DC=net/DC=jpmchase/DC=exchad/CN=PSIN0P551
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4767 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5DF8DBBCAA37AC5D809C6831174368C0545E3E06A0E8BE2F6450F03C96DCA198
Session-ID-ctx:
Master-Key: 582ABE9363DE36147A845750A7199639CF8CC88D7C3C50EE3B3C7941EE9713F120DF8558504F41CECB6838C5B6E32C47
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1576590268
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
針對tier 2,測試的結果如下,得到sslv3 alert handshake failure的錯誤,無法返回server端的certificate chain和certificate。這更壹步說明tier 3的證書配置有問題。