SSL Handshake error on vCloud Air configuring Pivotal Cloud Foundry

When installing PCF 1.3.2 on vCloud Air I ran into an “SSL Handshake error”
when attempting to access the Cloud Foundry Ops Mgr setup page.

https:://23.92.99.98/setup
Firefox reported the following error:

“The connection was Interrupted”
The connection was interrupted while the page was loading.
The site could be temporarily unavailable or too busy.
Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy,
make sure that Firefox is permitted to access the Web.

A quick test with openssl verfied the issue

$  openssl s_client  -connect 23.92.99.98:443
CONNECTED(00000003)
140694674667168:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 0 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1
Cipher    : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1415297890
Timeout   : 7200 (sec)
Verify return code: 0 (ok)

Resolution:
Each vCloud Air Virtual Data Center includes two public ip addresses on the Gateway Appliance.
During setup for Pivotal Cloud Foundry,
NAT rules are configured to map one of the ips to the PCF Ops Manager
and the other ip to the gateway load balancer.

Apparently the two public ips are not equivalent.
If you encounter the ssl error above, change the Gateway NAT rules to reverse the ip mappings
so that the ip currently mapped to the router is mapped to Ops Manager.

For example:
Given two Gateway Ips of
23.92.99.98
23.92.99.99
And
Ops Manager on 192.168.109.2  and the
Gateway Load Balancer on 192.168.109.10

d2p3-ext DNAT    23.92.99.98       Any 192.168.109.2     Any TCP
d2p3-ext DNAT    23.92.99.99       Any 192.168.109.10   Any TCP

Change the Nat rules to

d2p3-ext DNAT    23.92.99.98       Any 192.168.109.10  Any TCP
d2p3-ext DNAT    23.92.99.99       Any 192.168.109.2    Any TCP

Welcome

 

wires2Welcome to my new blog. The primary goal of this blog is to share middleware technology experiences by providing both quick tutorials on new cool technologies and solutions to tricky issues.
The blog serves us all,  I won’t forget what the heck I did
and others can save some precious time.

Well enough of the formalities,  I hope you find the content useful.