WaveSync is a major component of Wisenet Wave and extends the functionality of Wave Systems by providing cloud services hosted on the internet. WaveSync allows users to access their Wave system from an external network without enabling port forwarding. Users can connect to their Wave Systems via all of the Wave Clients we offer (Wave Desktop Client, Wave Mobile, Wave WebAdmin, and the WaveSync Portal).
A cloud-connected Wave System can be accessed via direct IP address if applicable, STUN, or through the Wave mediator, a relay service developed by Wisenet Wave which is hosted on Amazon Web Services (AWS). While a system is connected to WaveSync, the Wave Client will show the connection status (“Offline”, ”Unreachable”, or just a cloud icon means ready to connect).
What does “unreachable” or “offline” mean to a WaveSync System?
Offline means the Wisenet Wave System is not able to communicate with WaveSync and the System is not available at the moment. It could be due to the server not starting, the connection is completely cut off, or the Client is not connected to the internet.
Unreachable means the Wave System is online and in working state, but unable to be connected via the Client through WaveSync due to various reasons and may be solved by simple actions depending on the situation.
Most common connection issues WaveSync Systems encounter
Firewall Configuration / Networking Restriction
Although WaveSync does not need extra configuration to work in a general networking environment, sometimes we see that a required service is blocked by the enterprise/local network firewall.
For example, some companies block outgoing/incoming connections to any URL that wasn’t granted specific permission, preventing necessary communication from Wisenet Wave Mediator and Wave Relay, leading to a loss of connection between the Wave System and Clients.
Solution:
To solve/confirm this issue, we provide a connection test tool for the users to check their connection availability (link at the bottom of this page), The tool would provide the result of connectivity tests to all the publicly trusted services used by WaveSync and Wisenet Wave. Ideally, you should see all connections have successfully passed and the required ports are all open. If any URL in the result is blocked, please talk to your networking technician to allow the traffic to pass through the firewall.
Self-signed Certificates
High security locations sometimes have very strict network policies. Not only will the incoming/outgoing traffic be limited, but devices are required to reside within the enterprise network or use a certified SSL certificate to be able to access the enterprise network.
Now by default, Wisenet Wave uses self-signed certificates. Sometimes this could lead to the System not being able to access the network in some cases if the Wave Client is on an external network.
Alternatively, if you upgraded your Wisenet Wave System from an older version (e.g. 4.2 or before), the self-signed certificate could have expired, so any HTTPS connection will not be established successfully.
Solution:
- If the issue is due to the self-signed certificate expiring:
a. Stop the Wisenet Wave service.
b. Navigate to the directory for the Wave Server SSL certificate.
Windows
C:\Windows\System32\config\systemprofile\AppData\Local<%COMPANY.NAME%><%COMPANY.NAME%> Media Server\ssl
Ubuntu
/opt/<%INSTALLER.NAME%>/mediaserver/var/ssl
- c. Delete the default.pem (cert.pem if your version is 4.2 or before) to remove the old certificates
d. Start Wave Server, and it will create a new certificate with an updated expiration.
NOTE: If the issue is not resolved, please try to delete the certificates (default.pem or cert.pem) again and then restart the machine once more.
Root CA Certificates
If you are using the Windows platform (e.g. Windows 10/11/server/IOT/Server, etc.), sometimes you might encounter an issue where the root CA certificate expired or a lack of the required certificates. This might be causing your system to not establish the connection with AWS correctly. This usually does not affect daily internet browsing, but it could be an issue while you are trying to access some services which force you to use secure connections (HTTPS) or access the service that is run on the public cloud.
Some of our cloud services use HTTPS certificates provided by Let’s encrypt service and there is a known issue that root CA used by Let’s encrypt expired.
In Wisenet Wave 5.0, we enabled certificate verification for any outgoing connection from Wave Server to the WaveSync services. This security enhancement greatly reduces the chances of man in the middle attack(MITM) on the Wave Server and improves the secure level of our software.
If you update your system to Wisenet Wave 5.0, and it unexpectedly becomes unreachable via cloud connection, it is likely that Wave Server faces a certificate verification issue. Wave Server relies on the OS to provide a list of trusted root certificates. If you’re using an older Windows version without the latest updates, it is likely the OS could be missing either some required Root CA certificates or the new root certificate ISRG Root X1(sometimes could be both), and would require you to add it to the system.
DST Root CA X3 Expiration (September 2021)
In rare cases, you might encounter some unexpected issues while both ISRG Root X1 and DST Root CA X3 are presented in the system, so you may need to delete the expired DST Root CA X3 certificates from your OS.
To quickly check if you are facing this issue, try to access this URL from the exact machine which has Wave Server installed. You are able to use any browser (e.g. Google Chrome, Firefox, Edge, etc.) to see if the HTTPS warning is shown. If you see that the browser shows the security warning, then it is highly likely you need to add ISRG Root X1 certificate to your Windows machine.
Solution A:
- Search certmgr.exe and launch the application.
- Navigate to Trusted Root Certification (usually the 2nd node).
- Delete DST ROOT CA X3
- Make sure ISRG Root X1 is present. If it is missing, see Solution B.
Solution B:
- Download the latest modern certificates isrgrootx1.der.
- Open the downloaded certificate and click Install Certificate.
3. In the Certificate Import Wizard, select Local machine.
4. Choose Place all certificates in the following store.
5. Select Trusted Root Certification Authorities and select OK.
6. After you see the import success dialog, restart the Wave Server, or restart the machine. The issue should be resolved.
Missing Starfield Root CA certificates
In certain cases, the Windows platform may have fewer built-in Trusted RootCA certificates installed, particularly on the version with strict security control, such as Windows Server 2019. The lack of required certificates may result in an incomplete trust chain, so the SSL validation process may fail when communicating with the WaveSync service.
To check if you have the necessary Root CA certificate installed in a certain server, please follow the steps described below:
-
Search certmgr.exe and launch the application.
-
Navigate to Trusted Root Certification (usually the 2nd node).
-
Make sure the Starfield Root Certificate Authority - G2 and Starfield Class 2 Certification Authority are present. If they are missing, do the next step 4 - 9 to install them manually.
4. Download the certificates from the following link:
- Starfield Class 2 Certification Authority
- Starfield Root Certificate Authority - G2
5. Open the downloaded certificates and click Install Certificate one by one.
6. In the Certificate Import Wizard, select Local Machine.
7. Choose Place all certificates in the following store.
8. Select Trusted Root Certification Authorities and select OK.
9. After you see the import success dialog, please restart the Wave Server application, or restart the machine. Then the certificates will be applied and your issue should be resolved.
Comments
0 comments
Please sign in to leave a comment.