Troubleshooting Windows proxies

If you have installed a Windows proxy and it fails to connect, there are a number of checks that you should make before contacting Customer Support.

Checking the SSL keys

The appliance and Windows proxy communicate through an encrypted channel. In order for the Windows proxy to communicate with the appliance, both ends require the presence of a certificate authority file and an SSL (Secure Sockets Layer) key file.

The appliance needs the following:

  • ca_01.pem — The certificate authority.
  • appliance_key_01.pem — The key for the appliance.

The Windows proxy needs the following:

  • ca_01.pem — The same certificate authority file as the appliance, copied to the Windows proxy.
  • slave_key_01.pem — The same key file as the appliance, renamed and copied to the Windows proxy.

Check the following:

  1. The files exist at both ends in the corresponding etcdirectories. Examples of these are:
    • /usr/tideway/etc on the appliance.
    • C:\Program Files\BMC Software\ADDM Proxy\runtime\ADDM Proxy_Type\etc where Proxy_Type is one of the following: Active Directory or Credential (8.3 SP1 and earlier proxies)
    • C:\Program Files\BMC Software\ADDM Proxy\etc on the proxy host (8.3 SP2 and later proxies)
  2. The files were present at the time that the process started.
  3. The certificate authority on both the appliance and the Windows proxy are the same.

Checking for an omniORB.cfg file

The communication between appliance and Windows proxy uses the omniORB CORBA implementation. Configuration of omniORB can affect communication. omniORB's configuration is stored in C:\omniORB.cfg. In a normal Windows proxy install, that file is not present. If it is present, its contents might prevent communication with the Windows proxy, or might cause other problems.

Restricting appliances that can connect

omniORB can be configured to only permit connections from particular IP addresses. This is achieved by adding lines of this form in C:\omniORB.cfg:

serverTransportRule = <ip address> ssl
serverTransportRule = localhost tcp

Add one line for each appliance IP address with the ssl qualification, and one single line for localhost tcp.  If multiple appliances are to use the same Windows proxy, one serverTransportRule line for each appliance should be added.

Only the specified IP addresses can connect with SSL, and internal communication between components of the Windows proxy is permitted over TCP. 

Was this page helpful? Yes No Submitting... Thank you