Troubleshooting
Problem
Once PA Workspace is configured with custom SSL/TLS certificates, the pa-gateway container goes from "Up" state to "Restarting" state after few seconds.
The "docker logs pa-gateway" command in Powershell displays this error only:
httpd.exe: Could not reliably determine the server's fully qualified domain name, using <IPv6 address> for ServerName
Cause
Incorrect private key format in pa-workspace.pem.
More information can be found in \log\pa-gateway\wa-proxy-error.log :
[Tue Feb 25 10:31:27.863128 2020] [ssl:emerg] [pid 27984:tid 608] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file C:/pa-gateway/ssl/pa-workspace.pem)
[Tue Feb 25 10:31:27.865137 2020] [ssl:emerg] [pid 27984:tid 608] AH02564: Failed to configure encrypted (?) private key <ServerName>:443:0, check C:/pa-gateway/ssl/pa-workspace.pem
[Tue Feb 25 10:31:27.865137 2020] [ssl:emerg] [pid 27984:tid 608] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Tue Feb 25 10:31:27.865137 2020] [ssl:emerg] [pid 27984:tid 608] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Tue Feb 25 10:31:27.865137 2020] [ssl:emerg] [pid 27984:tid 608] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Tue Feb 25 10:31:27.865137 2020] [ssl:emerg] [pid 27984:tid 608] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Tue Feb 25 10:31:27.865137 2020] [ssl:emerg] [pid 27984:tid 608] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Tue Feb 25 10:31:27.865137 2020] [ssl:emerg] [pid 27984:tid 608] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Tue Feb 25 10:31:27.865137 2020] [ssl:emerg] [pid 27984:tid 608] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
[Tue Feb 25 10:31:27.865137 2020] [ssl:emerg] [pid 27984:tid 608] AH02564: Failed to configure encrypted (?) private key <ServerName>:443:0, check C:/pa-gateway/ssl/pa-workspace.pem
[Tue Feb 25 10:31:27.865137 2020] [ssl:emerg] [pid 27984:tid 608] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Tue Feb 25 10:31:27.865137 2020] [ssl:emerg] [pid 27984:tid 608] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Tue Feb 25 10:31:27.865137 2020] [ssl:emerg] [pid 27984:tid 608] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Tue Feb 25 10:31:27.865137 2020] [ssl:emerg] [pid 27984:tid 608] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Tue Feb 25 10:31:27.865137 2020] [ssl:emerg] [pid 27984:tid 608] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Tue Feb 25 10:31:27.865137 2020] [ssl:emerg] [pid 27984:tid 608] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Tue Feb 25 10:31:27.865137 2020] [ssl:emerg] [pid 27984:tid 608] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
and \log\pa-gateway\error.log :
[Tue Feb 25 10:30:12.239891 2020] [ssl:emerg] [pid 23696:tid 584] AH02311: Fatal error initialising mod_ssl, exiting. See C:/Apache24/logs/wa-proxy-error.log for more information
AH00016: Configuration Failed
AH00016: Configuration Failed
Resolving The Problem
In <PA_Workspace>/config/ssl folder, there is a file called pa-workspace.pem that has to be manually configured to integrate the private key, the primary certificate, the intermediate CA certificate, and the root CA certificate.
The steps are described in the official documentation:
https://www.ibm.com/support/knowledgecenter/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/t_paw_enable_ssl.html
The private key needs to be surrounded by the following keywords, exclusively:
-----BEGIN RSA PRIVATE KEY-----
(...Private Key...)
-----END RSA PRIVATE KEY-----
(...Private Key...)
-----END RSA PRIVATE KEY-----
The private key must not be encrypted and surrounded by the following keywords:
-----BEGIN ENCRYPTED PRIVATE KEY-----
(...Encrypted Private Key...)
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
(...Encrypted Private Key...)
-----END ENCRYPTED PRIVATE KEY-----
The reason is that PA Workspace uses Apache in the "PA-Gateway" container.
To configure PA Workspace for "HTTPS", Apache must be configured for HTTPS.
To have a server configured for HTTPS, a private key and a matching certificate are needed.
Unfortunately Apache does not allow to use keystores, therefore the non encrypted key and certificate have to be provided in a single PEM file. This is due to Apache design, and PA Workspace cannot work around this.
Since the only solution is to include the non encrypted private key, it is crucial to lock down access to pa-workspace.pem file by OS means to allow only the user who runs PA Workspace and administrators to access it.
It is also to be avoided to show this file on screen during a remote session, and this file must never be sent to anyone (even IBM) unless the PRIVATE KEY section was previously deleted manually.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCTEW","label":"IBM Planning Analytics Local"},"Component":"PA Workspace","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
20 September 2021
UID
ibm13433737