Layer7 Access Management

Tech Tip : CA Single Sign-On : Browser gets randomly error 500

  • 1.  Tech Tip : CA Single Sign-On : Browser gets randomly error 500

    Posted 05-22-2019 04:49 AM

    Issue:

     

    We're running CA Access Gateway (SPS) and randomly users gets return
    code 500 in the browser and we want to know why and how to fix this.

     

    Cause:

     

    The Policy Server fails to verify the certificate, because the CA Root

    certificate is outdated, and as such it returns an error to SPS which
    sends back to the browser 500 code :

     

    smtracedefault.log:

     

    [05/02/2019][14:36:11.637][14:36:11][8093][4001557360][AuthnRequestProtocol.java]
    [verifySignatureOnRequest][126359be-0239c034-8cc7d9da-5168aea0-ba8fa1ed-4b][][][]
    [][][][][][][][][][][][][][][][][Exception processing signature:
    Verifying certificate has expired][][][][][][][][][][][][][][][][][][][][][][][]
    [][][][][][][][][][][][][][]

    and the lines before mentioned the certificate in usage :

     

    DSigVerInfoSerialNumber=12ef11b2
    DSigVerInfoIssuerDN=CN=myname,OU=myunit,O=myorganization,L=mycity,ST=mystate,C=mycountry,

     

    Exporting the Policy Store data (XPSExport), we can find the details
    of the certificate. Using Openssl to read it, then we notice that
    this transaction uses the following certificate which is out dated :

     

    <Property Name="CA.CDS::Certificate.Alias">
    <StringValue>my.cert.in.prod</StringValue>
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number: 552568247 (0x12ef11b2)
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = mycountry, ST = mystate, L = mycity, O = myorganization, OU = myunit, CN = myname
    Validity
    Not Before: Jan 22 07:00:00 2018 GMT
    Not After : Apr 15 07:00:00 2018 GMT
    Subject: C = mycountry, ST = mystate, L = mycity, O = myorganization, OU = myunit, CN = myname
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption

    Resolution:

     

    - In the AdminUI, from your certificates, find the ones signed with
    this outdated certificate :

     

    <Property Name="CA.CDS::Certificate.Alias">
    <StringValue>my.cert.in.prod</StringValue>

    Serial Number: 552568247 (0x12ef11b2)
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = mycountry, ST = mystate, L = mycity, O = myorganization, OU = myunit, CN = myname
    Validity
    Not Before: Jan 22 07:00:00 2018 GMT
    Not After : Apr 15 07:00:00 2018 GMT
    Subject: C = mycountry, ST = mystate, L = mycity, O = myorganization, OU = myunit, CN = myname
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption

     

    and change in agreement with your partner the certificate, by
    getting a new certificate signed with an up-to-date CA Root
    certificate.

     

    KB : KB000132519