Splunk AppDynamics
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SSL configuration of controller with load balancer setup

CommunityUser
Splunk Employee
Splunk Employee
‎11-14-2017 09:41 AM
Hi ,

I have installed 4.3 controller and used load balancer to configure the HA setup .

Next steps is for ssl configuration for that I have performed the below steps

1- Requested certificate key tool
2- installed root Certificates
3- tried to import certificate received by authorities but failed

Error : "Failed to establish chain from reply"

Please assist on this
Labels (3)
0 Karma
Reply
2 Solutions
Solved! Jump to solution
Solution

CommunityUser
Splunk Employee
Splunk Employee
‎11-14-2017 02:31 PM

  • If you get the error "Failed to establish chain from reply", install the issuing Certificate Authority's root and any intermediate certificates into the keystore. The root CA chain establishes the validity of the CA signature on your certificate. Although most common root CA chains are included in the bundled JVM's trust store, you may need to import additional root certificates, such as certificates belonging to a private CA. To do so:

    keytool -import -alias [Any_alias] -file <path_to_root_or_intermediate_cert> -keystore <controller_home>/appserver/glassfish/domains/domain1/config/keystore.jks

        When done importing the certificate chain, try importing the signed certificate again.

See https://docs.appdynamics.com/display/PRO43/Controller+SSL+and+Certificates -- Step 9.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Saradhi_Pothara
Communicator
‎11-20-2017 12:04 PM

Could you let us know how the LB and Controller are configured?

1) Are you terminating SSL on LB or is it SSL at LB as well as Controller?

2) After generating the CSR and getting it signed, did you import both the root and intermediate certificates in the chain?

3) Would you be able to list the contents of the Keystore and also share the logs where you see the error?

Regards,

Saradhi

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

CommunityUser
Splunk Employee
Splunk Employee
‎11-14-2017 02:31 PM

  • If you get the error "Failed to establish chain from reply", install the issuing Certificate Authority's root and any intermediate certificates into the keystore. The root CA chain establishes the validity of the CA signature on your certificate. Although most common root CA chains are included in the bundled JVM's trust store, you may need to import additional root certificates, such as certificates belonging to a private CA. To do so:

    keytool -import -alias [Any_alias] -file <path_to_root_or_intermediate_cert> -keystore <controller_home>/appserver/glassfish/domains/domain1/config/keystore.jks

        When done importing the certificate chain, try importing the signed certificate again.

See https://docs.appdynamics.com/display/PRO43/Controller+SSL+and+Certificates -- Step 9.

0 Karma
Reply
Solved! Jump to solution

CommunityUser
Splunk Employee
Splunk Employee
‎11-15-2017 02:41 AM

I have used below command to geneated the pair

> i have puted the alias name for SAN and CN as primary controller

keytool -genkeypair -keyalg RSA -keysize 2048  -validity 1825 -alias s1as -ext SAN=dns:Load balncer alias (example.com) -keystore keystore.jks -storetype JKS -dname "CN=priamry controller server name,OU=Test, O=XYZ, L=Country, ST=CITY, C=SE"

I have imported root certificate alereay but still getting issue

Is there anything missed by me in above command ?

just for info we have other envirment where no load balancer concept and for that it is applied successfully 

0 Karma
Reply
Solved! Jump to solution
Solution

Saradhi_Pothara
Communicator
‎11-20-2017 12:04 PM

Could you let us know how the LB and Controller are configured?

1) Are you terminating SSL on LB or is it SSL at LB as well as Controller?

2) After generating the CSR and getting it signed, did you import both the root and intermediate certificates in the chain?

3) Would you be able to list the contents of the Keystore and also share the logs where you see the error?

Regards,

Saradhi

0 Karma
Reply
Solved! Jump to solution

dhirendra_singh
Loves-to-Learn Lots
‎01-15-2018 05:15 AM

I am terminating SSL at LB and now i have applied CSR on with LB name and applied on both the HA controller Node with root certificate which is working as expected 

thanks for response

0 Karma
Reply
Solved! Jump to solution

CommunityUser
Splunk Employee
Splunk Employee
‎11-15-2017 08:32 AM

@Vasu.Ramachandran -- please ask one of your team members to assist.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top