Secure Connection Failure Warning during Reflection ZFE Installation

  • 7021341
  • 05-Mar-2015
  • 02-Mar-2018

Environment

Reflection ZFE version 1.0 or higher

Situation

While installing Reflection ZFE, you may see a Secure Connection Failure warning.

The Secure Connection Failure warning message occurs when the automated installer tries to configure the Reflection ZFE session server for secure communications to Host Access Management and Security Server (MSS) fails.

Figure 1. Attachmate Reflection ZFE 2.1.2 Warning: Secure Connection Failure 'A secure connection could not be established to the Host Access Management and Security Server.'

This issue occurs if, during the previous MSS installation and configuration, you entered an IP address as the Server Name for URLs and Certificates.

Resolution

To resolve this issue, you need to create a new certificate using the Java Keytool application, and then import the certificate into MSS. Follow these steps:
  1. Create a new certificate using the Java Keytool application:
    1. Open keytool.exe found in <ReflectionZFE installation directory>/jre/bin.
    2. For the SAN value, enter the MSS server’s numerical IP address, such as 192.168.1.2. The SAN value must match the IP address in the certificate's Common Name field.
    3. Follow this example command, which uses 192.168.1.2 as the IP address:
keytool.exe -genkey -keyalg RSA -alias myAlias -keystore myKeystore.jks -validity 1095 -keysize 2048 -ext san=ip:192.168.1.2 -ext eku=serverAuth -ext ku=digitalSignature,keyEncipherment

Note the following:

    • To be able to import the certificate and the private key into MSS, you must enter the same password for the keystore and private key.
    • The certificate extensions named in the example (annotated by the "-ext" argument) are required by MSS.
    • Refer to the Java keytool documentation to ensure that the keytool application's arguments adhere to your organization's security requirements.
  1. Import the certificate into MSS.
    1. Locate HttpsCertificateUtility.exe in <installation directory>/utilities/bin where <installation directory> is typically:

MSS on Windows: C:\Program Files\Micro Focus\MSS

MSS on UNIX/Linux: /opt/microfocus/mss

    1. Run HTTPSCertificateUtility. On the "Select a certificate action" screen, select the option to Import a certificate and private key. Click Next.
    2. Browse to and select the keystore you created in step 1. Click Next.
    3. Enter the password used to generate the keystore in step 1, click Next, and continue through the utility.
    4. Restart MSS for the changes to take effect.
  1. Run the Reflection ZFE installer again, which will reconfigure the session server to use secure communications.

Cause

Reflection ZFE uses Management and Security Server (MSS) for management and security features. By default, communications between these servers use HTTPS. The Secure Connection Failure warning occurs when the MSS certificate has a Common Name value that is a numeric IP address in the Subject. For example:

Subject: CN=192.168.1.2, L=Seattle, ST=Washington, O=My organization, OU=My organizational unit, C=US

Reflection ZFE strictly adheres to RFC 6125 for service identity validation. It does not consider the certificate to be known and trusted because the Subject Alternative Name (SAN) is missing an IP address value that matches the Common Name. As a result, the installer configures the session server to use HTTP (non-secure) communications with MSS.

Additional Information

Legacy KB ID

This article was originally published as Attachmate Technical Note 2782.