ELS 10.2.1 Breach of Security issue with Archive Bridge 10.3

Hi All

We have installed ELS 10.2.1 that is using SecKeys and global certificates to communicate with Content Server - this is working fine.

These certificates were created automatically during the ELS setup.

We now created one additional Logical Archive to be used by the Email Archive Bridge (10.3) client.

This logical archive did inherit the global certitfactes created previously but,

we have unticked all of the SecKeys options in the logical archive property>security tab.

When we run the Email Archive service, we get the following error in the rcs.log:

EADSH_ERR_DSCREATE_{0}_{1}_{2}[PSTstorage,DATA.MSG,HTTP error (unauthorized [401]): Breach of security: (ds-error='ICS:0006: Error in configuration: authentication for user '<mailto:' otadmin@otds.admin '> otadmin@otds.admin '<mailto:' otadmin@otds.admin '> and application '-undefined-' failed') ('') URL=' http://tsearch:8080/archive?create&pVersion=0045&contRep=PSTstorage&compId=DATA.MSG&ixCheckSum=MCwCAhOIAgECBBS%252fKj3zoeccrVJBSDWmgo7cOZsjgwYFKw4DAhoTBmxpYmRzaA%3d%3d&ixUser=TSEARCHBRIDGE&ixAppl=Open%20Text%20-%20Archiving%20Service%20for%20MSX' (11006).]

Even though the secKeys options are disabled, I am wondering if this happening because of the global enabled certificates used by ELS and CS10?

Find more posts tagged with

Comments

Otto_Engelniederhammer

Hi Navin,

see my comments marked with [otto] below.

best regards,

Otto Engelniederhammer

Quoted Navin Bali on 2013-03-08 10:55:

Hi All

We have installed ELS 10.2.1 that is using SecKeys and global certificates to communicate with Content Server - this is working fine.

[otto] just to clarify: seckeys and certificates are used to communicate with an backend ArchiveServer never with the Content Server itself.

These certificates were created automatically during the ELS setup.

We now created one additional Logical Archive to be used by the Email Archive Bridge (10.3) client.

This logical archive did inherit the global certificates created previously but,

we have unticked all of the SecKeys options in the logical archive property>security tab.

[otto]: afaik this is a not supported scenario if working with an Enterprise Library.
[otto]: In this case you should always have a signature to communicate with the ELS, means that the Email Archive Bridge must have its own private key to sign the [otto]: URLs and must upload and enable the corresponding certificate. Further the “CN” of the corresponding certificate must be added as application id in the ELS [otto]: administration. This whole process should be described in the ELS administration guide.

When we run the Email Archive service, we get the following error in the rcs.log:

EADSH_ERR_DSCREATE_{0}_{1}_{2}[PSTstorage,DATA.MSG,HTTP error (unauthorized [401]): Breach of security: (ds-error='ICS:0006: Error in configuration: authentication for user '<mailto:' otadmin@otds.admin '> otadmin@otds.admin '<mailto:' otadmin@otds.admin '> and application '-undefined-' failed') ('') URL=' http://tsearch:8080/archive?create&pVersion=0045&contRep=PSTstorage&compId=DATA.MSG&ixCheckSum=MCwCAhOIAgECBBS%2fKj3zoeccrVJBSDWmgo7cOZsjgwYFKw4DAhoTBmxpYmRzaA==&ixUser=TSEARCHBRIDGE&ixAppl=Open Text - Archiving Service for MSX' (11006).]

[otto]: this error message has directly nothing to do with signed URLs and certificates, it indicates that the isRecord check to the ContentServer fails! Out of the provided [otto]: information I cannot tell the reason for this (e.g. not reaching the Content Server) error. Detailed information can be found in the rcs.log of the ELS System.
[otto]: some background: for each Archive Link request it is checked if the inbound docId references an ELS record. Doing so means to log into the Content Server.

Even though the secKeys options are disabled, I am wondering if this happening because of the global enabled certificates used by ELS and CS10?
[otto]: as mentioned above the reported error does not come from checking for certificates, but from trying to logon to the ContentServer.

[otto]: if you think have configured the system correctly – see my comments above - and you still get the reported error the best bet is to involve support.
[otto]: I may also help you provided you send me – mailto: otto.engelniederhammer@opentext.com - the corresponding ELS rcs-logfile which shows the error.

Navin_Bali

Hi Otto - many thanks for your very informative reply.

I think I left out the CN and create application name bit, as I understood the admin document this been a requirement for SAP as the calling application. My bad.

I will generate a new certificate and keys for Archive Bridge & AS, and also create a new application.

Many thanks again.

Navin