Skip to main content
Support

KB Article #102581

ICS Troubleshooting using openSSL

ICS Troubleshooting using openSSL
This article was previously published as ID#30054


Summary:
When implementing IME with Inter-Compoment Security (ICS), it is useful when troubleshooting connection related errors to validate that the certificates are correct.

If your MMS 5.5 server is using Secure Redirect and/or Secure Response and using the Secure all communications with IME Server using SSL (Secure Socket Layer) option found in the Setup Redirect page, this KB article will also apply.

Symptom:
The IME 5.5 Administrator's Guide has a section (9.2.8) which covers troubleshooting ICS related problems.

Detailed Information:
How can I view certificate content? Use the openssl.exe tool:

C:\IME\bin\openssl x509 -in C:\IME\certs\server.pem -text -noout

How can I test my certificates without running the server? The following openssl commands implement a simple client and server which will communicate using specified certificates/keys.

C:\IME\bin\openssl s_server -CAfile C:\IME\bin\certs\ca.pem -cert C:\IME\bin\certs\server.pem -Verify 1 -accept 4433
openssl s_client -CAfile C:\IME\bin\certs\ca.pem -cert C:\IME\bin\certs\server.pem -connect host:4433

On your MMS Server, the openssl.exe executable can be found in your MMS installation directory (C:\Program Files\Tumbleweed\MMS by default).

Resolution:
An error with either of these commands will point the error to the certificates generated during the installation process.

To regenerate certificates, use the Configure IME Server utility found on the IME Backend server's Start Menu.

If you are having problems generating a certificate for a specific server, you can use any server specific certificate, copy it to the remote server, and rename the .pem file to that server's name.

Example:

IME Backend server: ime_backend
IME HTTP Gateway: ime_http
MMS: mms

Using the Configure IME Server utility, certificates for ime_backend.pem and ime_http.pem were generated, but not for MMS. Copy the ime_http.pem file to the MMS server and rename it to mms.pem. Certificates do not depend on the machine name or IP address, but the name of the certificate may be significant. It is only significant because it is referenced elsewhere in the server's Registry.


Original Author:
Original Submitter: DKALT
Keywords: ICS IME openSSL IME ID#30054