Hello All -
Please find the (very long) details of the issue I am facing. I have opened a case with CA Support as well, but thought of asking in the Community as well.
CA Directory "Company-CA certificates" not working for User Store Routers
At a client, we recently had the direction to move from internal dxcertgen-generated certificates to the company's CA certs. I have been trying to set them up based on the various dispersed ideas/issues/directions available in the documentation and communities. Presently, we are stuck with issues while trying to connect via the router DSAs. (There are 4 router and Data DSAs each in scope).
Configuration -
Obtained the certificate from the corporate system - generic DSA certificate (both Server and Client authentication) with all DSA entries in SAN) with private key, root certificates (root, policy, issuing).
Updated the directory configuration (importca to add these root certs into trusted.pem and use the DSA certificate (pvt key not password protected - removed the password from the key using openssl rsa -in key -out key command) being used as a generic certificate (cert-file).
FIPS is false and set ssl-auth-bypass-entry-check = true
All DSA Settings file -
set alias-integrity = true;
set multi-casting = true;
set always-chain-down = false;
set min-auth = clear-password;
set allow-binds = true;
set ssl-auth-bypass-entry-check = true;
set force-encrypt-auth = true;
set force-encrypt-anon = true;
set multi-write-retry-time = 60; # this is the default value
set op-attrs = true;
All DSA ssld settings file -
set ssl = {
cert-file = "config/ssld/personalities/CAIdMUserStoreDSA.pem"
ca-file = "config/ssld/trusted.pem"
fips = false # enables FIPS 140-2 compliant encryption
};
Data DSA Knowledge file -
auth-levels = clear-password
dsp-idle-time = 3600
dsa-flags = multi-write, no-service-while-recovering
trust-flags = allow-check-password, allow-upgrading, trust-conveyed-originator
link-flags = ssl-encryption-remote
Router DSA Knowledge file -
auth-levels = clear-password
dsp-idle-time = 3600
dsa-flags = relay
trust-flags = trust-conveyed-originator
link-flags = ssl-encryption-remote
Validation -
dxcertgen report shows certificates as valid
openssl -purpose command shows the trusted PEM to have SSL Server CA and SSL Client CA to be true.
Same command on the DSA generic cert shows SSL Server and SSL Client to be true.
I have validated that the Issuer entry in the DSA cert matches with the Subject of trusted.pem
All DSAs start up without any errors in the logs.
Observation -
After this change, I can connect to any data DSA through an LDAP Browser.
However, trying to connect to the router DSAs does not work and shows 49: Invalid Credentials at the browser.
Router DSA logs show -
Summary Log
[6] 20180227.184619.517 #000.000 (BIND) : 10.113.131.228 COM/COMPANY/DSAADMIN : Security Error 2 Data
Warn log
[6] 20180227.184527.242 WARN : Verify error 2: unable to get issuer certificate
[6] 20180227.184527.242 WARN : SSL Error
[6] 20180227.184527.242 WARN : 7fb6180008f8- 16030300 3a020000 360303fc 171ddca6 ....:...6.......
[6] 20180227.184527.242 WARN : 7fb618000908- 96cd30d8 806f4b02 6f3f819c 2b859a3f ..0..oK.o?..+..?
[6] 20180227.184527.242 WARN : 7fb618000918- 3b321f67 a06db2d4 a04f0e00 009f0000 ;2.g.m...O......
[6] 20180227.184527.242 WARN : 7fb618000928- 0eff0100 01000023 0000000f 00010116 .......#........
[6] 20180227.184527.242 WARN : 7fb618000938- 0303127e 0b00127a 00127700 09cc3082 ...~...z..w...0.
[6] 20180227.184527.242 WARN : 6:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1264:
[6] 20180227.184527.242 WARN : ssld_ssl_request failed
[6] 20180227.184527.242 WARN : Remote DSA 'dsaname01' aborted
[6] 20180227.184527.242 WARN : Marking DSA 'dsaname01' as down.
Data DSA Summary Log -
[4] 20180228.105611.357 WARN : TLS/SSL handshake failed for call from 192.168.192.44:54502
Please let me know what is causing this error to show up, and if anyone has faced this before. Thank you in advance!
Thanks,
Samarjit.