Symantec Access Management

 View Only
Expand all | Collapse all

Siteminder X509 cert auth not working with apache

  • 1.  Siteminder X509 cert auth not working with apache

    Posted Jan 02, 2018 11:02 PM
      |   view attached

    We have a working siteminder web-agent for x509 cert auth and trying to move it from iplanet to apache.

    apache is set for 2 way ssl and to authenticates the client, so if we try an unprotected resource we are prompted for client auth (which is a client cert installed on the browser)and able to access the resource.

    When accessing a protected resource, user is prompted for client cert but we can see in agent trace logs that certificate details are not captured.

    there is no error in trace logs and it shows success in capturing cert details but certificate details captured is actually blank .

    [Date][Time][Pid][Tid][TransactionID][Function][Message][CertSerial][SubjectDN][IssuerDN][UserDN][User]
    [====][====][===][===][=============][========][=======][==========][=========][========][======][====]
    [01/03/2018][13:05:32][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][SmScc::getCredentials][Certificate present][][][][][]
    [01/03/2018][13:05:32][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][SmScc::getCredentials][Success in collecting credentials.][][][][][]
    [01/03/2018][13:05:32][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][AuthenticateUser][User 'unknown' is not authenticated by Policy Server.][][][][][]


    Policy server logs not here but shows blank user while processing authentication request.

    Apache error log shows cert read correctly.

    [Wed Jan 03 13:05:30 2018] [debug] ssl_engine_kernel.c(1306): [client 10.111.6.28] Certificate Verification: depth: 1, subject: /C=AU/O=Test Corporation Limited, ACN 777 777 777/OU=Test, issuer: /C=AU/O=Test Corporation Limited, ACN 777 777 777/OU=Test
    [Wed Jan 03 13:05:30 2018] [debug] ssl_engine_kernel.c(1306): [client 10.111.6.28] Certificate Verification: depth: 0, subject: /C=AU/L=Test Online Customer/CN=TEST ANKUR/serialNumber=
    E7777777248S2, issuer: /C=AU/O=Test Corporation Limited, ACN 777 777 777/OU=Test


    browser recieves a http 403 for this URL

    https://testx509.test.com.au/siteminderagent/cert/1514902324/smgetcred.scc?TYPE=16777244&REALM=$SM$%2fTEST%20[01%3a12%3a04%3a2020]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$2I2DJhrj9QLKt%2bTaH4F%2breuqPkV3rDfY2rKi2vmhTHF1mo63weVxtdhGVVijj43C&TARGET=$SM$https%3a%2f%2fsomething%2etest%2ecom%2ftestapp%2ftest%2ejsp

     

    complete webagent trace logs here .

     

    [Date][Time][Pid][Tid][TransactionID][Function][Message][CertSerial][SubjectDN][IssuerDN][UserDN][User]
    [====][====][===][===][=============][========][=======][==========][=========][========][======][====]
    [01/03/2018][13:05:31][1570][3728463840][][Initialize][High Level Agent Initialized.][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][ProcessRequest][Start new request.][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][][CSmApache22WebFilterCtxt::SetP3PCompactPolicy][P3PCompactPolicy : ''][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][CSmHttpPlugin::ProcessResource][Resolved HTTP_HOST: 'testx509.test.com.au'.][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][testx509.test.com.au][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][CSmHttpPlugin::ProcessResource][Resolved hostname: 'testx509.test.com.au'.][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][][CSmHttpPlugin::ResolveAgentName][ServerIP is empty.][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][][CSmHttpPlugin::ResolveAgentName][DNSLookupDisabled or lookup failed for host 'testx509.test.com.au'][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][CSmHttpPlugin::ProcessResource][Resolved agentname: 'clientsslscithe'.][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][][CSmHttpPlugin::ResolveClientIp][Resolved Client IP address '10.111.6.28'.][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][CSmHttpPlugin::ProcessResource][Resolved URL: '/siteminderagent/cert/1514945789/smgetcred.scc?TYPE=1677
    7244&REALM=$SM$%2fTEST%20[13%3a16%3a29%3a2459]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$2I2DJhrj9QLKt%2bTaH4F%2breuqPkV3rDfY2rKi2vmhTHF1mo63weVxtdhGVVijj43C&TARGET=$SM$https%3a%2f%2fsomething%2etest%2ecom%2ftestapp%2ftest%2ejsp'.][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][][CSmHttpPlugin::AutoAuthorizedUrl][Auto-authorizing resource, matches IgnoreExt filter.][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][CSmHttpPlugin::ProcessResource][Autoauthorizing URL : 'https://testx509.test.com.au/siteminderagent
    /cert/1514945789/smgetcred.scc?TYPE=16777244&REALM=$SM$%2fTEST%20[13%3a16%3a29%3a2459]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=$SM$2I2DJhrj9QLKt%2bTaH4F%2breuqPkV3rDfY2rKi2vmhTHF1mo63weVxtdhG
    VVijj43C&TARGET=$SM$https%3a%2f%2fsomething%2etest%2ecom%2ftestapp%2ftest%2ejsp' , Method: 'GET' ][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][CSmHttpPlugin::ProcessResource][Resolved METHOD: 'GET'.][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][CSmHttpPlugin::ProcessResource][Resolved cookie domain: '.test.com.au'.][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][CSmSessionManager::EstablishSession][No plugins responded, returning SmNoAction.][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][ProcessRequest][ProtectionManager returned SmNo, end new request.][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][ProcessAdvancedAuthentication][Start new request.][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][][CSmHttpPlugin::ResolveClientIp][Resolved Client IP address '10.111.6.28'.][][][][][]
    [01/03/2018][13:05:31][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][SmAdvancedAuthCore::parseTargetUrl][Resolved cookie domain '.test.com.au'.][][][][][]
    [01/03/2018][13:05:32][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][IsResourceProtected][Resource is protected from Policy Server.][][][][][]
    [01/03/2018][13:05:32][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][CSmHttpPlugin::ProcessResponses][Processing IsProtected responses.][][][][][]
    [01/03/2018][13:05:32][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][SmScc::getCredentials][Certificate present][][][][][]
    [01/03/2018][13:05:32][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][SmScc::getCredentials][Success in collecting credentials.][][][][][]
    [01/03/2018][13:05:32][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][AuthenticateUser][User 'unknown' is not authenticated by Policy Server.][][][][][]
    [01/03/2018][13:05:32][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][CSmHttpPlugin::ProcessResponses][Processing Authentication responses.][][][][][]
    [01/03/2018][13:05:32][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][ProcessAdvancedAuthentication][AuthenticationManager returned SmNo or SmNoAction, calling ChallengeMana
    ger.][][][][][]
    [01/03/2018][13:05:32][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][CSmHttpCredCore::ProcessCertOnlyExit][Invalid certificate credentials.][][][][][]
    [01/03/2018][13:05:32][1570][3728463840][430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43][ProcessAdvancedAuthentication][Challenge Manager returned SmExit, Time to challenge.][][][][][]

    Appreciate any help /idea where to check

    Attachment(s)



  • 2.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 02, 2018 11:32 PM

    Can you attach ps trace log for txn : 430f4b0a-0622-5a4c3a6b-de3bd7e0-7e8bf6aee43?



  • 3.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 03, 2018 12:14 AM

    Hi Ujwol,

     

    I have attached webagent trace and ps trace logs for a new  transaction in ca_community_case.zip.



  • 4.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 03, 2018 12:25 AM

    I see only web agent trace log in the attached zip ?



  • 5.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 03, 2018 12:33 AM

    Apologies, please see ca_community_case_updated



  • 6.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 03, 2018 04:43 PM
    • What is the PS version ? I reckon this is old version probably r12.0 SP 1 or SP 2?
    • Is this SHA2 certs?

     

    I am pretty sure this is the issue of unsupported certificate type.

     

    The error on PS side is :

     

    [01/03/2018][15:47:14.086][SmAuthCert.cpp:3581][parseCert][][Failure in RSA Cert-C library getting Cert Fields][][][][][1826][][][][][][][][][][][][][][][][][][][][15:47:14][26011][29][][][][]



  • 7.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 03, 2018 06:21 PM

    Hi Ujwol,

     

    Yes, it’s very old policy server (6.0sp5) .Just last few sites left on this PS .

     

    We have  cert authentication working on same policy server with web agent running on iplanet 6.1 web server .

    Issue is faced when we are trying x509 on apache web agent.

     

    Client Certificates are SHA1 but again PS can process them when going through agent installed on sunone.

     

    Do you know why we don’t see certificate details in either webagent trace or PS .Apache certainly process the cert and reads it (we can see details in error logs)

     

    Working scenario --> webserver (suneone 6.1) Webagent(4qmr5). Yes this old an agent exist ☺

     

    Not working --> apache 2.2 with agent 6qmr5cr10

     

    Would you know if traditional agents have issues or don’t work with SHA1 client cert ?



  • 8.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 03, 2018 06:34 PM

    wow , thats terrific  

     

    So, same PS+client+lower agent + different web server works ..

    then it more looks like web server issue..

    Can we match same agent version for Apache ?



  • 9.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 03, 2018 07:46 PM

    I don’t think 4qmr agent binaries exist anywhere for apache.

     

    I tried with SHA 2 certificate as well and the result is same . Agent still can’t see the certificate

     

    [11:34:52][3204][3017537504][430f4b0a-0c84-5a4d76ac-b3dbf7e0-58287f6759cd][SmScc::getCredentials][Certificate present][][][][][]

    [11:34:52][3204][3017537504][430f4b0a-0c84-5a4d76ac-b3dbf7e0-58287f6759cd][SmScc::getCredentials][Success in collecting credentials.][][][][][]

    [11:34:52][3204][3017537504][430f4b0a-0c84-5a4d76ac-b3dbf7e0-58287f6759cd][AuthenticateUser][User 'unknown' is not authenticated by Policy Server.][][][][][]

    [11:34:52][3204][3017537504][430f4b0a-0c84-5a4d76ac-b3dbf7e0-58287f6759cd][CSmHttpPlugin::ProcessResponses][Processing Authentication responses.][][][][][]

     

    Apache error logs shows cert being read correctly

     

      ssl_engine_kernel.c(1306):  Certificate Verification: depth: 1, subject: /C=as/ST=nsw/L=ss/O=ss/OU=sd/CN=testepicankur/emailAddress=test@test.com, issuer: /C=as/ST=nsw/L=ss/O=ss/OU=sd/CN=testepicankur/emailAddress=test@test.com

      ssl_engine_kernel.c(1306):  Certificate Verification: depth: 0, subject: /C=au/ST=as/L=as/O=as/OU=as/CN=testscitheankurtest/emailAddress=test@test.com, issuer: /C=as/ST=nsw/L=ss/O=ss/OU=sd/CN=testepicankur/emailAddress=test@test.com

      ssl_engine_kernel.c(1884): OpenSSL: Loop: SSLv3 read client certificate A

      ssl_engine_kernel.c(1884): OpenSSL: Loop: SSLv3 read client key exchange A

      ssl_engine_kernel.c(1884): OpenSSL: Loop: SSLv3 read certificate verify A.

     

    Am wondering if am looking at right place. Apache seems to be doing the right thing but for some reason agent can’t read the cert details (cert details are never passed to PS  that’s why auth fails ). What do you think ?



  • 10.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 04, 2018 12:03 AM

    I know for sure sha2 is not supported until 12.sp3.

    But I guess sha1 should be ok.



  • 11.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 03, 2018 11:57 PM

    Do we know how Webagent reads certificate details from apache. Is it via SSL variables set by mod_ssl .

     

    IF so ,which env variable does it use . we can print it in logs and see if mod_ssl is setting it correctly ?



  • 12.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 04, 2018 12:13 AM

    I believe it is SSL_CLIENT_CERT  if that fails then it uses legacy variable SSL_CLIENT_CERTIFICATE

     

    Have you seen the cert details printed in the agent trace log when it works ? I don't think it prints ...



  • 13.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 04, 2018 12:19 AM

    Yes , it prints these 2 in working environment correctly

     

    user_dn

    issuer_dn



  • 14.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 04, 2018 12:31 AM

    SSL_CLIENT_CERT as per apache doc is PEM-encoded client certificate

     

    and enabling it in logs shows same .So we can see that mod_ssl is setting pem encoded client cert as SSL_CLIENT_CERT.

     

    that means agent relies on openssl libraries again to pull data out of this pem file ?

     

    Problem here is that agent doesn’t show any error but also doesnt show cert details . Working agent has issuer_dn and user_dn in agent logs

     

    will do a packet capture between agent and PS to see if its sending any cert data to PS



  • 15.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 04, 2018 03:49 AM

    Hi,

     

    Usually this error appears when the certificate was signed with an unsupported algorithm, as Ujwol mentioned, but when you mentioned that works with other old agents, and your Policy Server is 6.0 I thought it may be a bug on your release, and found the following:

     

    CRLs Reporting Error Message Fixed (39446, 40045)
    On Windows and Solaris systems, the Policy Server's Cert-C libraries has been updated to correct an issue with CRLs reporting a "Failure in RSA Cert-C library getting CRL" error message

     

    Policy Server R6.0 SP6 Release Notes 

     

    I also found a limitation in R6.0 SP5 regarding the validity of the certificates were not allowed to be higher than 2032 due to this limitation. This was fixed in posterior CRs but I was not able to find in which one.

    I also found an old case where a customer had the same issue and solved it when changed the certificate validity from 2100 to a previous year.

     

    I hope this helps!

     

    Albert.



  • 16.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 04, 2018 06:47 PM

    Thanks Albert,

     

    Error in PS refers   [Failure in RSA Cert-C library getting Cert Fields][. It doesn’t refer CRL.

     

    Also i check expiry of client cert that am using and it’s not long dated. It expires in April this year .



  • 17.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 05, 2018 12:17 AM

    Is it the correct flow for a webagent hosting .scc file?

     

    1. User access site https://abc.com.au/resource

    2. https://abc.com.au/resource is protected by cert based auth .

    3. Web agent on abc.com redirects browser to credential collector on https://x509.com.au/siteminderagent/cert/12222/smgetcred.cc?target=https://abc.com.au , which prompts user for certificate , creates a SSLCRED cookie

    and redirects back to https://abc.com.au

     

    4. Webagent on https://abc.com.au decodes SSLCRED and connects to PS , which validates user and creates a SMSESSION .

     

     

     

    we can see this in not working credential collector logs

     

    [15:08:31][17328][2981967840][430f4b0a-43b0-5a4efa3f-b1bd37e0-20f35e7ba2f8][SmAdvancedAuthCore::parseTargetUrl][Resolved cookie domain '.xyz.com.au'.][][][][][]

    [15:08:31][17328][2981967840][430f4b0a-43b0-5a4efa3f-b1bd37e0-20f35e7ba2f8][IsResourceProtected][Resource is protected from Policy Server.][][][][][]

    [15:08:31][17328][2981967840][430f4b0a-43b0-5a4efa3f-b1bd37e0-20f35e7ba2f8][CSmHttpPlugin::ProcessResponses][Processing IsProtected responses.][][][][][]

    [15:08:31][17328][2981967840][430f4b0a-43b0-5a4efa3f-b1bd37e0-20f35e7ba2f8][SmScc::getCredentials][Certificate present][][][][][]

    [15:08:31][17328][2981967840][430f4b0a-43b0-5a4efa3f-b1bd37e0-20f35e7ba2f8][SmScc::getCredentials][Success in collecting credentials.][][][][][]

    [15:08:31][17328][2981967840][430f4b0a-43b0-5a4efa3f-b1bd37e0-20f35e7ba2f8][AuthenticateUser][User 'unknown' is not authenticated by Policy Server.][][][][][]

     

     

     

    it parses not just the .scc file (which is ignored) but also the target in query parameter and find with PS if its protected and then trying to authenticate the user.

     

     

    As it's a credential collector , should it not just intercept the request , get cert details ,create a SSLCRED cookie & send request back to original webagent that requested auth?



  • 18.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 07, 2018 04:46 PM

    Question is this any different from working condition ? I don't think so ..

     

    Even if it is scc (or fcc for that matter), it would need to check if the targetUrl is protected and perform user authentication only if it is, otherwise not.



  • 19.  Re: Siteminder X509 cert auth not working with apache
    Best Answer

    Posted Jan 07, 2018 04:49 PM

    My suggestion is to upgrade PS & WA to the latest CR on 6PS6, we should be able to provide the latest binary if you could open support ticket.



  • 20.  Re: Siteminder X509 cert auth not working with apache

    Posted Jan 08, 2018 08:57 PM

    unfortunately, PS upgrade is not an option otherwise we wouldn’t have been on 6qmr5 today .

     

    you are correct in saying agent will authenticate the target resource as well.

     

    Agent guide says : Beginning with 5.x QMR 2, the forms (FCC/SFCC), SSL (SCCs), and NTLM (NTC) credential collectors operate differently than 4.x credential collectors. When a user submits credentials, the credential collector does not have to create a credential cookie in the user’s browser and send the user back to the original Web Agent. Instead, the credential collector can log the user in to the Policy Server directly on behalf of the Web Agent protecting the requested resource.

     

    we were comparing 4x agent with 6x that’s why no SSLcred cookie in 6x .

     

    Also agent logs doesn’t log credentials collected in 6x (perhaps5.x QMR 2 and above ).On 6x agent we tried form based auth and no username in agent trace logs while collecting credentials but we can see the username on PS.

     

    so this, am assuming is the actual cert passed in PS trace logs (request attribute 206 is CertBinary)

     

    [15:47:14.011][SmMessage.cpp:377][CSmMessage::ParseAgentMessage][][Receive request attribute 206, data size is 800][][][][][][][][][][][][][** Not Shown **][][][][][][][][][][][][15:47:14][26011][29][][][ssomoneweb005-ssoinit-

    81]

     

    but then ps can’t read it for some reason we don’t know .

     

     

    Is there a way to force 6.x agents to work in compatibility mode like 4x to create SSLCRED cookie instead of authenticating user instead .

     

     

    or are you aware if there is any extra configuration required while setting PS to enable it to read certs? We have had cert based auth working with 4.x agents so appears PS never read the certs but always gets the userdn/Issuserdn instead .