Symantec Access Management

HI Team,

   Any suggestions for this issue would help.

""

I have my SPS apache SSL enabled and also the backend server is also SSL enabled. I imported the certificate of Backend server to SPS using GUI "

Embedded http client (Noodle) SSL configuration"

The certificate subject is similar as hostname, but still getting the same error.

Exception

  :

com.rsa.ssl.SSLException: Certificate for  is not trusted or bad certificate

  at com.netegrity.util.security.rsa.AbstractHostVerifier.verify(AbstractHostVerifier.java:119)

  at com.ca.proxy.apache.httpclient.conn.factory.SPSSecureSocketFactory.connectSocket(SPSSecureSocketFactory.java:113)

  at com.ca.proxy.apache.httpclient.conn.factory.SPSConnectionFactory.openConnection(SPSConnectionFactory.java:132)

  at com.ca.proxy.connectionpool.ConnectionCapsule.open(ConnectionCapsule.java:113)

[06/02/2015][18:26:23][5496][7132][11432d5c-2a457fff-5dc5fb59-a408c0c5-214a148e-c4e][ErrorPageImpl::displayMessage][Custom Error Pages : Custom message is not an URL. If URL is specified then it might not be in proper format. Considering it as plain text message.]

[06/02/2015][18:26:23][5496][7132][11432d5c-2a457fff-5dc5fb59-a408c0c5-214a148e-c4e][ProxyValve::invoke][Leaving the agent.]

What I could be doing wrong? If someone have some other steps which I can follow to get this working?

Thanks in Advance.

Is anyone able to assist further with this users question?

Thank you

are you sure you have the full chain? can you list the certificate in the java keystore?

HI Richard,

Did you manage to find a solution to this? I know its almost a year since you posted this but any insights might be helpful.

Thanks,

Vidhi

SSL Certificate bad or not trusted error:

I am working with CA SPS r12.52 sp1 cr04 on RedHat Linux 6.7 with 32 bit JDK 1.7.0_79 with unlimited cryptography patched.

1. Modify the SSL CA Certificate File to call the rootBundle.cert you created or if you appended the root and intermediate certificates to the ca-bundle.cert leave that field.
2. If you make changes on the Proxy AdminUI in the configuration files it will wrap those changes with quotations “ “
4. Bounce your proxy with the sps-ctl stop and sps-ctl startssl command.
5. Verify your browser also has the root certificates loaded for the sites you are working with. You should not get the SSL errors any more and the proxy to the back end server should happen successfully. I recommend changing the ACO parameter for the WebAgent you are using to do the proxy and setting the TraceFile parameter to create a trace log. It will log what is happening with the proxy in the trace log it creates for the agent.

Hope this helps. It fixed my issues with proxying over SSL to the backend servers.

Thanks,

Adam Rusniak

Hey Adam,

Thanks for the detailed answer.

In my case, I noticed that although the backend cert was added to the CA cert bundle , i was getting a validation failure message for that certificate in the nohup logs.

I deleted the cert and added it again to the ca cert-bundle, that seemed to resolve the issue.

-Vidhi

Hi,

I also faced a similar issue, in my case the debugging -Djavax.net.debug=ssl:handshake:verbose indicated me SPS 12.51 was presenting an old ciphersuite, I changed in $SPS /conf / server.conf  inside the <sslparams> the version= that was showing "sslv3" . I change it to TLSv1 (I should move it to TLSv2 in production tough).

I hope it helps.

The <sslparams> section in server.conf covers the backend conneciton.  Latter versions of the Agent Gateway (such as Ag 12.6) do have support for TLSv1.2, one of the requirements was java 1.8. was needed for easy use.

Cheers - Mark

Hi,

I also had similar issue. I have update the java JCE unlimited jars in JDK\JRE\security folder and resolve the error. So steps to verify:

1. Server\URLs root certificate should be in ca_bundle.crt.

2. JCE unlimited jars should be copied in JDK\JRE\security folder.

Thanks,

Ashish

Hi - Just a quick note,to this older question.

The error "Certificate for  is not trusted or bad certificate" is fairly unforgiving, in that if you have made a mistake somewhere it does not help you diagnose exactly where the problem has occurred. 

To help you can enable some logging :   Adding -Djavax.net.debug="all" to the Java runtime startup will give details of the SSL handshake in the server.log file.   It will also print out details as it tries to find the server certificate in the currently trusted list of certs - and will tell you if the trusted path is incomplete.

Adding -verbose to the java runtime startup will also give in the nohup.out log details of the path for which .jar each class is loaded from.  It is not unheard of that the JDK being used at runtime is different to the one that was thought to be being used, and also there are often two location you can apply the JCE patch to, (one in the JDK, and one in the JRE, and it is often easy to get confused). 

The file to apply these settings to is the SmSpsProxyEngine.properties file in windows, or proxyserver.sh for unix.

Cheers - Mark

Hi Mark,

I added the parameter -Djavx.net.debug="all" in SmSpsproxyEngine.properties, but SSL related information is not getting generated. Did i add it in correct location?

NETE_SPS_PROXYENGINE_CMD="%NETE_SPS_JAVA_HOME%\bin\java.exe" -Djavx.net.debug="all" 

..

Regards,

Rikash

Sorry, Rikash, I must have backspaced at the wrong time it should be :  -Djavax.net.debug="all"  (not -Djavx.net.debug) I have fixed the original reply now. 

Cheers - Mark