Symantec Access Management

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Tech Tip : CA Single Sign-On : Policy Server backend CA Directory Session Store over SSL reports error : "SSL3 alert read: fatal: bad certificate"

  • 1.  Tech Tip : CA Single Sign-On : Policy Server backend CA Directory Session Store over SSL reports error : "SSL3 alert read: fatal: bad certificate"

    Broadcom Employee
    Posted Nov 10, 2017 03:45 AM

    Issue:


    We are running Policy Server, when this one tries to connect to the backend CA Directory Session Store over SSL, it fails. The CA Directory

    Session Store reports error :

     

    ! [5] Accepting call from TCP 10.22.232.148:13223

    ! [0] Accepting call from TCP 10.22.232.148:13225

    ! [3] STATE: SSL3 alert read: fatal: bad certificate

    ! [3] STATE: SSL_accept: failed in SSLv3 read client certificate A

    ? [3] 20170831.115804.432 WARN : SSL Error

    ? [3] 20170831.115804.432 WARN : 7fffcc0180c8- 15030300 02022a ......*

    ? [3] 20170831.115804.432 WARN : 3:error:14094412:SSL routines:ssl3_read_bytes:

    sslv3 alert bad certificate:s3_pkt.c:1487:SSL alert number 42

    3:error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure:s3_pkt.c:1210:

    ? [3] 20170831.115804.432 WARN : ssld_ssl_request failed

    ? [3] 20170831.115804.432 WARN : TLS/SSL handshake failed for call from

    10.22.232.148:13223

    ? [3] 20170831.115804.433 WARN : comms_recv: Connection reset by peer

    ! [3] Call closed 12

     

    How can we solve that ?

     

    Environment:

     

    Policy Server 12.7 on RedHat 7; CA Directory 12.6.02;

     

    Cause:

     

    The same CA Directory server handles 3 instances of LDAP server : 1 Policy Store, 1 Key Store and 1 Session Store. Certificates defined at CA Directory level are self signed certificates, and some have the same serial number which is causing a conflict on the client side (Policy Server)

     

    Resolution:

     

    To solve the issue, you need to sign with a CA the certificate from each instance by doing the following :

     

    • Stop Policy Server

    • Stop all CA Directory DSA instances (dxserver stop all)

    • Remove all bad certificates (.pem files) in folder <CA-DIR>/ssld/personalities

    • Execute the command dxcergen report to be sure there is no certificate for Policy Store, Key Store and Session Store

    • Create new cert request for each DSA: Policy Store, Key Store, Session Store using the command: dxcertgen -D <dsaname> certreq

    • Sign the CSR with the your CA and merge the new certificates

    • Start all DSA instances (dxserver start all)

    • Start Policy Server and verify the correct connection to Policy Store, Key Store and Session Store

     

    KB : TEC1956082