Troubleshooting Windows proxies

If you have installed a Windows proxy and it fails to connect, there are a number of checks that you should make before contacting Customer Support.

Checking the SSL keys

The appliance and Windows proxy communicate through an encrypted channel. In order for the Windows proxy to communicate with the appliance, both ends require the presence of a certificate authority file and an SSL (Secure Sockets Layer) key file.

The appliance needs the following:

  • ca_01.pem – The certificate authority.
  • appliance_key_01.pem – The key for the appliance.

The Windows proxy needs the following:

  • ca_01.pem – The same certificate authority file as the appliance, copied to the Windows proxy.
  • slave_key_01.pem – The same key file as the appliance, renamed and copied to the Windows proxy.

Check the following:

  1. The files exist at both ends in the corresponding etc directories. Examples of these are:
    • /usr/tideway/var/slaves/<ip address>__4323/etc on the appliance.
    • C:\Program Files\BMC Software\ADDM Proxy_Type where Proxy_Type is one of the following: Active Directory or Credential (8.3 SP1 and earlier proxies)
    • C:\Program Files\BMC Software\ADDM Proxy\etc on the proxy host (8.3 SP2 and later proxies)
  2. The files were present at the time that the process started.
  3. The certificate authority on both the appliance and the Windows proxy are the same.

Checking for an omniORB.cfg file

The communication between appliance and Windows proxy uses the omniORB CORBA implementation. Configuration of omniORB can affect communication. omniORB's configuration is stored in C:\omniORB.cfg. In a normal Windows proxy install, that file is not present. If it is present, its contents may prevent communication with the Windows proxy, or may cause other problems.

Restricting appliances that can connect

omniORB can be configured to only permit connections from particular IP addresses. This is achieved by adding a line of this form in C:\omniORB.cfg:

serverTransportRule = <ip address> ssl

That tells omniORB that only the specified IP address can connect with SSL. The IP address should be the IP address of the appliance. If multiple appliances are to use the same Windows proxy, one serverTransportRule line for each should be added.

Was this page helpful? Yes No Submitting... Thank you

Comments