This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC 5.5 RMS Issues

Recently upgraded to SEC 5.5.0.  Using the same install package on 3 separate RHEL VMs all of which are running different versions of OpenSSL. I have 2 that are able to receive updates from the manager but are not populating into the console itself. Please let me know if you have encountered this before or have a solution.

 

Looking into the RMS Router logs I have found the following:

 

[user@server-vm1 Logs]# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008


[user@server-vm1 Logs]# cat Router-20171108-220512.log
08.11.2017 16:05:12 A4B0 I SOF: ./Router/Logs/Router-20171108-220512.log
08.11.2017 16:05:12 A4B0 I Sophos Messaging Router 4.1.0.8 starting...
08.11.2017 16:05:12 A4B0 I Setting ACE_FD_SETSIZE to 138
08.11.2017 16:05:12 A4B0 I Initializing CORBA...
08.11.2017 16:05:12 A4B0 I Connection cache limit is 10
08.11.2017 16:05:12 A4B0 I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
08.11.2017 16:05:12 A4B0 I Creating ORB runner with 4 threads
08.11.2017 16:05:12 A4B0 W No public key certificate found in the store. Requesting a new certificate.
08.11.2017 16:05:12 A4B0 I Getting parent router IOR from <SEC IP Address>:8192
08.11.2017 16:05:12 A4B0 I Getting a new router certificate...
08.11.2017 16:06:57 A4B0 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as 'No usable profile in IOR.', completed = NO
08.11.2017 16:06:57 A4B0 W Failed to get certificate, retrying in 600 seconds
08.11.2017 16:16:57 A4B0 I Getting parent router IOR from <SEC IP Address>:8192
08.11.2017 16:16:57 A4B0 I Getting a new router certificate...
08.11.2017 16:18:46 A4B0 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as 'No usable profile in IOR.', completed = NO
08.11.2017 16:18:46 A4B0 W Failed to get certificate, retrying in 600 seconds

 

[user@server-vm3 Logs]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

[user@server-vm3 Logs]# cat Router-20171109-033224.log
21:32:24 3740 I SOF: ./Router/Logs/Router-20171109-033224.log
21:32:24 3740 I Sophos Messaging Router 4.1.0.8 starting...
21:32:24 3740 I Setting ACE_FD_SETSIZE to 138
21:32:24 3740 I Initializing CORBA...
21:32:24 3740 I Connection cache limit is 10
21:32:24 3740 I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
21:32:24 3740 I Creating ORB runner with 4 threads
21:32:24 3740 W No public key certificate found in the store. Requesting a new certificate.
21:32:24 3740 I Getting parent router IOR from <SEC IP Address>:8192
21:32:25 3740 I Getting parent router IOR from SECServer:8192
21:32:25 3740 I Getting parent router IOR from SECServer:8192
21:32:25 3740 E Failed to get parent router IOR
21:32:25 3740 W Failed to get certificate, retrying in 600 seconds

 

For the VM that has worked and has populated the same log shows:

[user@server-vm2 Logs]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013


[user@server-vm2 Logs]# cat Router-20171108-222825.log
16:28:25 8740 I SOF: ./Router/Logs/Router-20171108-222825.log
16:28:25 8740 I Sophos Messaging Router 4.1.0.8 starting...
16:28:25 8740 I Setting ACE_FD_SETSIZE to 138
16:28:25 8740 I Initializing CORBA...
16:28:25 8740 I Connection cache limit is 10
16:28:25 8740 I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
16:28:25 8740 I Creating ORB runner with 4 threads
16:28:25 8740 I Compliant certificate hashing algorithm
16:28:25 8740 I This router's IOR:
IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d65737361676552602000900000031302e332e322e36000001000210000000001000000526f6f74504f4100526f7574657250657273697374656e740002000000010000004d657373616765526f7574657200000003000000000000000800000001000000004f4154010000001800000001000000010001000100000001000105090101000000000014000000080000000100a6008600022000000000a400
16:28:25 8740 I Successfully validated this router's IOR



This thread was automatically locked due to age.
  • Hello Cards11x,

    AFAIK Sophos doesn't use the host's libraries but comes with its own set in order to avoid compatibility issues. So the OpenSSL version shouldn't matter.

    server-vm3 seems to be unable to reach the parent's port 8192 - does telnet SECServer 8192 (or <SEC IP Address>) return an IOR? Looks like it doesn't.

    server-vm1 seems receive an IOR (using the server's IP) but is (if I understand correctly) subsequently unable to connect to the host/port specified in the profile(s). For a server with a static IP the address is serverIP:8194 - this should work if serverIP:8192 works (unless 8194 is blocked on the way to the server). If this information doesn't help please show the IOR returned by the server.

    Christian

  • Christian, 

    Thank you for your quick response. We have fixed the issue with VM3. It turned out to be a simple access rule for the firewall that was not previously setup.

     

    Now for server-vm1. This is still receiving the same error in the Router Logs. Here is what I know and have gathered attempting to troubleshoot this today.

    Running RHEL 5

    Running Sophos Ver 9

    Successfully runs ./savupdate.sh and updates fine

    This is using iptables but has rules in place to allow TCP/8192 & 8194

    Successfully able to telnet the SEC IP via 8192 & 8194. 

    Running a capture we see the client send out on 8192 to SEC. SEC then responds on 8194 but that is getting reset when it hits the client.

    When restarting the sav-rms service and once verifying that it is running. I do not see any of the RMS ports listening when looking at netstat.

     

    If you have any further possible troubleshooting solutions or ideas of a possible fix it is greatly appreciated.

     

    Thanks!

  • Hello Cards11x,

    I assume the No usable profile in IOR refers to the IOR received from the server. You get the IOR from the telnet <server> 8192 response and can parse it for example at parc.com. This will show host and port (note the port is the non-SSL port 8193) that should be contacted - could be that vm1 can't reach the server with this information, e.g. when the server returns a name that the client can't resolve.
    If you're unsure please post the IOR here (be warned though that it will reveal the server's name and/or IP).

    Christian

  • Hi Christian,

     

    I have placed the IOR into the link you provided and receive the following.

    object key is <#14#01#0F#00NUP#00#00#00!#00#00#00#00#01#00#00#00RootPOA#00RouterPersistent#00#03#00#00#00#01#00#00#00MessageRouter>;
     no trustworthy most-specific-type info; unrecognized ORB type;
     reachable with IIOP 1.2 at host "serve.name.here.com", port 8193


    Is this what I SHOULD be seeing when parsing the IOR?

    Thanks!
  • Hello Cards11x,

    thanks, looks correct. So the server has been configured to return a name, looks like vm1 can't resolve this name (or at least not correctly). Does (from vm1) telnet server.name.here.com 8194 connect or do you get a host no found or similar error?

    Christian

  • Hi Christian,

     

    I am able to successfully make a connection to our SEC over 8194. I receive no errors.

     

    Thanks

  • Hello Cards11x,

    indeed using the name - or did you enter the IP?
    I'd suggest to make the Router log more verbose as mentioned here. Dunno what to expect in this situation but maybe there's a hint.

    Christian

  • Christian,

     

    I used both name and IP. Both had no issues telnetting to that port. At this point I'm going to be opening a support case with Sophos to help further investigate this issue. Thank you very much for your efforts. I'll be sure to post my findings here once this has been resolved.

    Thanks!

  • Wanted to post a update although this thread if 5 months old. This issue was resolved by a OS upgrade.