This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SEC 5.5 RMS Issues

Recently upgraded to SEC 5.5.0.  Using the same install package on 3 separate RHEL VMs all of which are running different versions of OpenSSL. I have 2 that are able to receive updates from the manager but are not populating into the console itself. Please let me know if you have encountered this before or have a solution.

 

Looking into the RMS Router logs I have found the following:

 

[user@server-vm1 Logs]# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008


[user@server-vm1 Logs]# cat Router-20171108-220512.log
08.11.2017 16:05:12 A4B0 I SOF: ./Router/Logs/Router-20171108-220512.log
08.11.2017 16:05:12 A4B0 I Sophos Messaging Router 4.1.0.8 starting...
08.11.2017 16:05:12 A4B0 I Setting ACE_FD_SETSIZE to 138
08.11.2017 16:05:12 A4B0 I Initializing CORBA...
08.11.2017 16:05:12 A4B0 I Connection cache limit is 10
08.11.2017 16:05:12 A4B0 I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
08.11.2017 16:05:12 A4B0 I Creating ORB runner with 4 threads
08.11.2017 16:05:12 A4B0 W No public key certificate found in the store. Requesting a new certificate.
08.11.2017 16:05:12 A4B0 I Getting parent router IOR from <SEC IP Address>:8192
08.11.2017 16:05:12 A4B0 I Getting a new router certificate...
08.11.2017 16:06:57 A4B0 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as 'No usable profile in IOR.', completed = NO
08.11.2017 16:06:57 A4B0 W Failed to get certificate, retrying in 600 seconds
08.11.2017 16:16:57 A4B0 I Getting parent router IOR from <SEC IP Address>:8192
08.11.2017 16:16:57 A4B0 I Getting a new router certificate...
08.11.2017 16:18:46 A4B0 E Router::GetCertificate: Caught CORBA system exception, ID 'IDL:omg.org/CORBA/TRANSIENT:1.0'
OMG minor code (2), described as 'No usable profile in IOR.', completed = NO
08.11.2017 16:18:46 A4B0 W Failed to get certificate, retrying in 600 seconds

 

[user@server-vm3 Logs]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

[user@server-vm3 Logs]# cat Router-20171109-033224.log
21:32:24 3740 I SOF: ./Router/Logs/Router-20171109-033224.log
21:32:24 3740 I Sophos Messaging Router 4.1.0.8 starting...
21:32:24 3740 I Setting ACE_FD_SETSIZE to 138
21:32:24 3740 I Initializing CORBA...
21:32:24 3740 I Connection cache limit is 10
21:32:24 3740 I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
21:32:24 3740 I Creating ORB runner with 4 threads
21:32:24 3740 W No public key certificate found in the store. Requesting a new certificate.
21:32:24 3740 I Getting parent router IOR from <SEC IP Address>:8192
21:32:25 3740 I Getting parent router IOR from SECServer:8192
21:32:25 3740 I Getting parent router IOR from SECServer:8192
21:32:25 3740 E Failed to get parent router IOR
21:32:25 3740 W Failed to get certificate, retrying in 600 seconds

 

For the VM that has worked and has populated the same log shows:

[user@server-vm2 Logs]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013


[user@server-vm2 Logs]# cat Router-20171108-222825.log
16:28:25 8740 I SOF: ./Router/Logs/Router-20171108-222825.log
16:28:25 8740 I Sophos Messaging Router 4.1.0.8 starting...
16:28:25 8740 I Setting ACE_FD_SETSIZE to 138
16:28:25 8740 I Initializing CORBA...
16:28:25 8740 I Connection cache limit is 10
16:28:25 8740 I Router::ConfigureSslContext: keeping legacy compatibility of TLS 1 and TLS 1.1.
16:28:25 8740 I Creating ORB runner with 4 threads
16:28:25 8740 I Compliant certificate hashing algorithm
16:28:25 8740 I This router's IOR:
IOR:010000002600000049444c3a536f70686f734d6573736167696e672f4d65737361676552602000900000031302e332e322e36000001000210000000001000000526f6f74504f4100526f7574657250657273697374656e740002000000010000004d657373616765526f7574657200000003000000000000000800000001000000004f4154010000001800000001000000010001000100000001000105090101000000000014000000080000000100a6008600022000000000a400
16:28:25 8740 I Successfully validated this router's IOR



This thread was automatically locked due to age.
Parents
  • Hello Cards11x,

    AFAIK Sophos doesn't use the host's libraries but comes with its own set in order to avoid compatibility issues. So the OpenSSL version shouldn't matter.

    server-vm3 seems to be unable to reach the parent's port 8192 - does telnet SECServer 8192 (or <SEC IP Address>) return an IOR? Looks like it doesn't.

    server-vm1 seems receive an IOR (using the server's IP) but is (if I understand correctly) subsequently unable to connect to the host/port specified in the profile(s). For a server with a static IP the address is serverIP:8194 - this should work if serverIP:8192 works (unless 8194 is blocked on the way to the server). If this information doesn't help please show the IOR returned by the server.

    Christian

  • Christian, 

    Thank you for your quick response. We have fixed the issue with VM3. It turned out to be a simple access rule for the firewall that was not previously setup.

     

    Now for server-vm1. This is still receiving the same error in the Router Logs. Here is what I know and have gathered attempting to troubleshoot this today.

    Running RHEL 5

    Running Sophos Ver 9

    Successfully runs ./savupdate.sh and updates fine

    This is using iptables but has rules in place to allow TCP/8192 & 8194

    Successfully able to telnet the SEC IP via 8192 & 8194. 

    Running a capture we see the client send out on 8192 to SEC. SEC then responds on 8194 but that is getting reset when it hits the client.

    When restarting the sav-rms service and once verifying that it is running. I do not see any of the RMS ports listening when looking at netstat.

     

    If you have any further possible troubleshooting solutions or ideas of a possible fix it is greatly appreciated.

     

    Thanks!

  • Hello Cards11x,

    I assume the No usable profile in IOR refers to the IOR received from the server. You get the IOR from the telnet <server> 8192 response and can parse it for example at parc.com. This will show host and port (note the port is the non-SSL port 8193) that should be contacted - could be that vm1 can't reach the server with this information, e.g. when the server returns a name that the client can't resolve.
    If you're unsure please post the IOR here (be warned though that it will reveal the server's name and/or IP).

    Christian

  • Hi Christian,

     

    I have placed the IOR into the link you provided and receive the following.

    object key is <#14#01#0F#00NUP#00#00#00!#00#00#00#00#01#00#00#00RootPOA#00RouterPersistent#00#03#00#00#00#01#00#00#00MessageRouter>;
     no trustworthy most-specific-type info; unrecognized ORB type;
     reachable with IIOP 1.2 at host "serve.name.here.com", port 8193


    Is this what I SHOULD be seeing when parsing the IOR?

    Thanks!
  • Hello Cards11x,

    thanks, looks correct. So the server has been configured to return a name, looks like vm1 can't resolve this name (or at least not correctly). Does (from vm1) telnet server.name.here.com 8194 connect or do you get a host no found or similar error?

    Christian

  • Hi Christian,

     

    I am able to successfully make a connection to our SEC over 8194. I receive no errors.

     

    Thanks

Reply Children