HCL SafeLinx 1.1.1 & HTTP Strict-Transport-Security

After a SafeLinx Deployment I wanted to set the HTTP Strict-Transport-Security header, but there was nothing in the documentation about it, and I also could not find any option regarding this in the SafeLinx Administrator client settings. So I opened a Support case.

According to the support you can use the command line on the HCL SafeLinx server to set the HTTP Strict-Transport-Security header as well as any other token header. Example of the command:

chwg -s ibm-wlHttpService -l http-serviceX -a hcl-strictTransSec=TRUE -a hcl-httptokens=”MyToken: my value” -a hcl-httptokens=”MyTOken2: my value2″

As of the upcoming HCL SafeLinx 1.1.1 release, which is coming next week, there is going to be a form to set it in the HCL SafeLinx Administrator client. Also, the HTTP Strict-Transport-Security header will be enabled by default in this release. Yay! 🙂

HCL Safelinx – Untrusted Certificate Issue

A few days ago I came across a rather weird issue with HCL Safelinx and HCL Domino. After setting up HCL Safelinx, it was not possible to access the Websites hosted by an HCL Domino Server. The user would just get an HTTP Error, “503 – Service Unavailable”.

I checked the network, no issues there, Safelinx could access the Domino Server via port 443 without any issues. SSL Certificates from both Domino and Safelinx were trusted, no issues could be seen there via Internet Browsers (Firefox, Chrome, …) and a quick check with “openssl” didn’t show any problems. The SSL Cipher configuration was also Ok, on both Safelinx and Domino.

After turning on all possible trace and debug settings on Safelinx, the following errors could be observed:

75613:936171264 (Sep 18 2020/10:06:12.4153)[WARN] SSLPort::raw_connect: open returns rc=414 (Unknown error — 414)
75613:936171264 (Sep 18 2020/10:06:12.4154)[ERROR] SSLPort: failed to open secure connection (rc = 414)–> <Domino_Server_IP>:443
75613:936171264 (Sep 18 2020/10:06:12.4154)[LOG] SSLPort::connect: (return), rc=-1
75613:936171264 (Sep 18 2020/10:06:12.4154)[WARN] HTTP-AS: failed to connect to server ‘<Safelinx_Server_IP>:56796 –> <Domino_Server_Hostname>:443’ (Unknown error — 0)
75613:936171264 (Sep 18 2020/10:06:12.4155)[DEBUG] setup connection, elapsed time: 23ms
75613:936171264 (Sep 18 2020/10:06:12.4155)[WARN] http-service1: failed to setup back end connection, elapsed time: 23ms [<Username>]
75613:936171264 (Sep 18 2020/10:06:12.4156)[HTTPAS]httpServerResponse: HTML pkt size: 2787
HTTP/1.1 503 Service Unavailable
Server: HCL Verse via SafeLinx
Connection: close
Content-Type: text/html; charset=utf-8

I have set some Domino HTTP Debug parameters, but I had to wait for the window where I could restart the Domino/HTTP Task. So I have decided to try setting “Accept untrusted certificates from internal servers” on HCL Safelinx.

Screenshot of the Safelinx setting.

And guess what, after restarting Safelinx, the users could access Domino Web applications without any issues.

I hope this saves you some time. 🙂