Symantec IGA

Expand all | Collapse all

CA Directory - Issue with SSL (External CA Certificates)

Jump to Best Answer
  • 1.  CA Directory - Issue with SSL (External CA Certificates)

    Posted 02-28-2018 06:11 AM

    Hello All - 

     

    Please find the (very long) details of the issue I am facing. I have opened a case with CA Support as well, but thought of asking in the Community as well. 

     

    CA Directory "Company-CA certificates" not working for User Store Routers

     

    At a client, we recently had the direction to move from internal dxcertgen-generated certificates to the company's CA certs. I have been trying to set them up based on the various dispersed ideas/issues/directions available in the documentation and communities. Presently, we are stuck with issues while trying to connect via the router DSAs. (There are 4 router and Data DSAs each in scope). 

     

    Configuration -

    Obtained the certificate from the corporate system - generic DSA certificate (both Server and Client authentication) with all DSA entries in SAN) with private key, root certificates (root, policy, issuing).

    Updated the directory configuration (importca to add these root certs into trusted.pem and use the DSA certificate (pvt key not password protected - removed the password from the key using openssl rsa -in key -out key command) being used as a generic certificate (cert-file).

    FIPS is false and set ssl-auth-bypass-entry-check = true

     

    All DSA Settings file - 

    set alias-integrity = true;

    set multi-casting = true;
    set always-chain-down = false;

    set min-auth = clear-password;
    set allow-binds = true;
    set ssl-auth-bypass-entry-check = true;
    set force-encrypt-auth = true;
    set force-encrypt-anon = true;

    set multi-write-retry-time = 60; # this is the default value

    set op-attrs = true;

     

    All DSA ssld settings file - 

     

     

    set ssl = {
    cert-file = "config/ssld/personalities/CAIdMUserStoreDSA.pem"

    ca-file = "config/ssld/trusted.pem"

    fips = false # enables FIPS 140-2 compliant encryption

    };

     

    Data DSA Knowledge file - 

    auth-levels = clear-password

    dsp-idle-time = 3600
    dsa-flags = multi-write, no-service-while-recovering
    trust-flags = allow-check-password, allow-upgrading, trust-conveyed-originator
    link-flags = ssl-encryption-remote

     

    Router DSA Knowledge file -

    auth-levels = clear-password
    dsp-idle-time = 3600
    dsa-flags = relay
    trust-flags = trust-conveyed-originator
    link-flags = ssl-encryption-remote

     

    Validation -

    dxcertgen report shows certificates as valid

    openssl -purpose command shows the trusted PEM to have SSL Server CA and SSL Client CA to be true.

    Same command on the DSA generic cert shows SSL Server and SSL Client to be true.

    I have validated that the Issuer entry in the DSA cert matches with the Subject of trusted.pem

    All DSAs start up without any errors in the logs.

     

    Observation -

    After this change, I can connect to any data DSA through an LDAP Browser.

    However, trying to connect to the router DSAs does not work and shows 49: Invalid Credentials at the browser.

     

    Router DSA logs show -

    Summary Log

    [6] 20180227.184619.517 #000.000 (BIND) : 10.113.131.228 COM/COMPANY/DSAADMIN : Security Error 2 Data

     

    Warn log

    [6] 20180227.184527.242 WARN : Verify error 2: unable to get issuer certificate

    [6] 20180227.184527.242 WARN : SSL Error

    [6] 20180227.184527.242 WARN : 7fb6180008f8- 16030300 3a020000 360303fc 171ddca6 ....:...6.......

    [6] 20180227.184527.242 WARN : 7fb618000908- 96cd30d8 806f4b02 6f3f819c 2b859a3f ..0..oK.o?..+..?

    [6] 20180227.184527.242 WARN : 7fb618000918- 3b321f67 a06db2d4 a04f0e00 009f0000 ;2.g.m...O......

    [6] 20180227.184527.242 WARN : 7fb618000928- 0eff0100 01000023 0000000f 00010116 .......#........

    [6] 20180227.184527.242 WARN : 7fb618000938- 0303127e 0b00127a 00127700 09cc3082 ...~...z..w...0.

    [6] 20180227.184527.242 WARN : 6:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:s3_clnt.c:1264:

    [6] 20180227.184527.242 WARN : ssld_ssl_request failed

    [6] 20180227.184527.242 WARN : Remote DSA 'dsaname01' aborted

    [6] 20180227.184527.242 WARN : Marking DSA 'dsaname01' as down.

     

    Data DSA Summary Log - 

    [4] 20180228.105611.357 WARN : TLS/SSL handshake failed for call from 192.168.192.44:54502

     

    Please let me know what is causing this error to show up, and if anyone has faced this before. Thank you in advance!

     

    Thanks,

    Samarjit.



  • 2.  Re: CA Directory - Issue with SSL (External CA Certificates)
    Best Answer

    Broadcom Employee
    Posted 02-28-2018 11:46 AM

    Support case 00974640 has been opened for this as stated above.

    What is the version and service pack of CA Directory is in use? I noticed that the case came under IDMGR 14.1 product which doesn't tell us exactly what version of CA Director is in use hence the question.



  • 3.  Re: CA Directory - Issue with SSL (External CA Certificates)

    Posted 02-28-2018 01:45 PM

    Thanks for the reply, Hitesh. Here is the version info - 

    dxserver 12.6.00 (build 14043) Linux 64-Bit



  • 4.  Re: CA Directory - Issue with SSL (External CA Certificates)

    Broadcom Employee
    Posted 08-02-2018 06:27 PM

    For those who might run into this....

    The error is due to a certificate error caused by an invalid pem file name in the router configuration.

     

    Look under:

    config/ssld/dxldap.conf