Symantec IGA

  • Private Community
 View Only

  • 1.  How to buypass internal proxy of vApp with SPS and SM in place.

    Posted Sep 28, 2020 07:12 AM

    Hello Team,

    We have configured a SPS instance to connect to vApp. We have configured proxy rules in a manner that it connects to vApp internal proxy on 443 port. Please see below proxy rule for instance. This configuration works absolutely fine.

    <nete:case value="/iam/"><!-- replace http://server2.company.com with the appropriate destination server -->
    <nete:forward>https:/<vapp ip>:443$0</nete:forward>
    </nete:case>
    <nete:case value="/sigma/"><!-- replace http://server2.company.com with the appropriate destination server -->
    <nete:forward>https://<vapp ip>:443$0</nete:forward>
    </nete:case>


    Now , we disabled the internal Vapp proxy of the vApp and made following changes to the proxyrules.xml file as IAM runs SSL on 8443 and portal on 8444.

    <nete:case value="/iam/"><!-- replace http://server2.company.com with the appropriate destination server -->
    <nete:forward>https:/<vapp ip>:8443$0</nete:forward>
    </nete:case>
    <nete:case value="/sigma/"><!-- replace http://server2.company.com with the appropriate destination server -->
    <nete:forward>https://<vapp ip>:8444$0</nete:forward>
    </nete:case>

    When we now access the URL , the login page is displayed but the moment user enters the password , we get a noodle exception on web page. And the logs says something about the handshake error and missing certificates.

    [09/23/2020][17:31:25][10516][7632][2454edc5-859d4fe1-0dc7a8a7-f0f478b1-43ec3a85-4f][releaseConnection(): ][Released connection is not reusable.]
    [09/23/2020][17:31:25][10516][7632][2454edc5-859d4fe1-0dc7a8a7-f0f478b1-43ec3a85-4f][execute][javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found]
    [09/23/2020][17:31:25][10516][7632][2454edc5-859d4fe1-0dc7a8a7-f0f478b1-43ec3a85-4f][execute][Retrying to send the request to backend web server.Retry count: 1]
    [09/23/2020][17:31:25][10516][7632][2454edc5-859d4fe1-0dc7a8a7-f0f478b1-43ec3a85-4f][execute][Sending request to backend = <vApp IP>:8444 url = <vApp IP>:8444/sigma/app/index]
    [09/23/2020][17:31:25][10516][7632][2454edc5-859d4fe1-0dc7a8a7-f0f478b1-43ec3a85-4f][requestConnection(): ][Get connection: {s}->https://<vApp ip>:8444, timeout = 180000]

    From SPS server.log we have following:-

    [23/Sep/2020:17:31:25-470] [ERROR] - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1967)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:331)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:325)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1688)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:226)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1082)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.Handshaker.process_record(Handshaker.java:1010)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1079)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1388)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1416)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1400)
    [23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.sso.smssl.socket.SMSSLSocketImpl.startHandshake(SMSSLSocketImpl.java:400)
    [23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.proxy.apache.httpclient.conn.factory.SPSSecureSocketFactory.connectSocket(Unknown Source)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.conn.scheme.SchemeLayeredSocketFactoryAdaptor2.connectSocket(SchemeLayeredSocketFactoryAdaptor2.java:62)
    [23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.proxy.apache.httpclient.conn.factory.SPSConnectionFactory.openConnection(Unknown Source)
    [23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.proxy.connectionpool.ConnectionCapsule.open(Unknown Source)
    [23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.proxy.connectionpool.impl.ConnectionPoolConnAdapter.open(Unknown Source)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
    [23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.proxy.apache.httpclient.SPSClient.execute(Unknown Source)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.tigris.noodle.ProxyModule.proxyRequest(Unknown Source)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.tigris.noodle.Noodle.doGet(Unknown Source)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.tigris.noodle.Noodle.service(Unknown Source)
    [23/Sep/2020:17:31:25-470] [ERROR] - at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:742)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:484)


    We have imported the vApp server certificate in the ca bundle cert file of the instance and in MMC as well. Is there anything we have missed here ? Can anyone review and provide any input to us ?

    Thanks,
    Shashank


  • 2.  RE: How to buypass internal proxy of vApp with SPS and SM in place.

    Broadcom Employee
    Posted Sep 28, 2020 10:53 AM

    This is mandatory.  You are not able to to turn off the internal proxy. 

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/14-3/ca-identity-suite-reference-architecture/foundation-physical-architecture/base-system-configuration-requirements/solution-component-ports.html



    ------------------------------
    Best regards,

    Scott Owens
    Sr Support Engineer

    ------------------------------
    And, as always Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.

    Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.com. https://www.hcltech.com/enterprise-studio
    ------------------------------
    ------------------------------

    Original Message