WebLM and AAM 1

[bignose21]

We have 3 duplex CM's that are located in Asia, Europe, and US from these we are deploying several survivable sites. The first was deployed along with the System Manager and uses the SMGR as its WebLM, all is ok there. The new Duplex's that are deployed in Asia and US have also had standalone WebLM deployed with them as each location has AAM which doesn't support centralized licensing. The problem I have is both AAM have License errors even though each WebLM has AAM Licenses loaded. I think it is probably a certificate issue (not sure). I did save the certificate from the WebLM browser and added it as a TM_INBOUND_TLS trusted certificate to the System Manager in the inventory as described in the WebLM deployment.

So far the AAM has been deployed with the 7.1 OVA and Patches added to SP2 and pr req CM patches were done. Added the SMGR CA certificate to the Trusted Certs and created an endpoint certificate in SMGR and put that in the server/application certificates.

 

[bignose21]

I did the same for the CM's which are on the same WebLM as the AAM (did not go for centralized licensing on CM as we were deploying the WebLM's anyway for the AAM) and the CM got its license ok (CM and WebLM are 8.0)

 

[kyle555]

I've noticed once that deploying AAM 7.1 OVA didn't fill in the hostname from the OVA template, so it was empty in server role and it made WebLM refuse it because WebLM always logs the hostname of the requesting entity.

So, adding the right hostname in server role fixed something like that once for me.

 

[bignose21]

So there isn't a server role option but there was no Hostname in the network settings like you say it was not configured, I added it but it didn't make a difference (I stoped messaging and restarted the server for good measure but still the same). In CM you set the SID to match the one on the license under server role, can the same be done on the AAM considering that I do not have a server role option?

 

[kyle555]

yeah, that's what I meant. weblm has a log file - i'd look there.

I believe new WebLM now has its own little CA if you have to use it standalone and you probably can't easily get the CA cert. If you can wireshark your Windows PC making a TLS handshake and extract the CA cert like this:

https://security.stackexchange.com/...i-extract-the-certificate-from-this-pcap-file

You could try adding that to AAM's trusted CAs

 

[bignose21]

Ok so i got it working so here goes if you look in WebLM server CLI

/opt/Avaya/JBoss/wildfly-10.1.0.Final/standalone/configuration/standalone.xml

if you look at the the security realm for the WebLM

You can see it is using a self signed Cert "weblmselfsigned.p12" so you can go to you SMGR and much the same as you would for a CM produce an new endpoint INBOUND_OUTBOUND_TLS CERT which produces a new .p12 Certificate when you create the keystore in public web. SFTP the file over to the WebLM and put it in the folder:

/opt/Avaya/JBoss/wildfly-10.1.0.Final/avmgmt/configuration/weblm/admin/mynewcert.p12

Then SSH to the WebLM and su to root user then:

root >service jboss stop
root >cd /opt/Avaya/JBoss/wildfly-10.1.0.Final/standalone/configuration
root >vi standalone.xml <--other text editors are available I use vi as its fairly simple and on all/most linux OS

alter the cert in the standalone.xml (big gap between mynewcert and .p12 is just because i removed the real cert name)

And save the standalone.xml

root >service jboss start

go back to AAM Stop Messaging, reboot server and heh presto license state normal

 

[kyle555]

Good on ya for finding that! Was it in the weblm standalone doc?

 

[bignose21]

Yep in the "Administering standalone Avaya WebLM" for Release 8.0 (version I was using was dated July 2019) on page 47 "Replacing SIP CA or self-signed certificate with third-party certificate" then just made the rest up