Symantec Access Management

 View Only
  • 1.  How to buypass internal proxy of vApp with SPS and SM in place.

    Posted Sep 28, 2020 07:11 AM

    Hello Team,

    We have configured a SPS instance to connect to vApp. We have configured proxy rules in a manner that it connects to vApp internal proxy on 443 port. Please see below proxy rule for instance. This configuration works absolutely fine.

    <nete:case value="/iam/"><!-- replace http://server2.company.com with the appropriate destination server -->
    <nete:forward>https:/<vapp ip>:443$0</nete:forward>
    </nete:case>
    <nete:case value="/sigma/"><!-- replace http://server2.company.com with the appropriate destination server -->
    <nete:forward>https://<vapp ip>:443$0</nete:forward>
    </nete:case>


    Now , we disabled the internal Vapp proxy of the vApp and made following changes to the proxyrules.xml file as IAM runs SSL on 8443 and portal on 8444.

    <nete:case value="/iam/"><!-- replace http://server2.company.com with the appropriate destination server -->
    <nete:forward>https:/<vapp ip>:8443$0</nete:forward>
    </nete:case>
    <nete:case value="/sigma/"><!-- replace http://server2.company.com with the appropriate destination server -->
    <nete:forward>https://<vapp ip>:8444$0</nete:forward>
    </nete:case>

    When we now access the URL , the login page is displayed but the moment user enters the password , we get a noodle exception on web page. And the logs says something about the handshake error and missing certificates.

    [09/23/2020][17:31:25][10516][7632][2454edc5-859d4fe1-0dc7a8a7-f0f478b1-43ec3a85-4f][releaseConnection(): ][Released connection is not reusable.]
    [09/23/2020][17:31:25][10516][7632][2454edc5-859d4fe1-0dc7a8a7-f0f478b1-43ec3a85-4f][execute][javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found]
    [09/23/2020][17:31:25][10516][7632][2454edc5-859d4fe1-0dc7a8a7-f0f478b1-43ec3a85-4f][execute][Retrying to send the request to backend web server.Retry count: 1]
    [09/23/2020][17:31:25][10516][7632][2454edc5-859d4fe1-0dc7a8a7-f0f478b1-43ec3a85-4f][execute][Sending request to backend = <vApp IP>:8444 url = <vApp IP>:8444/sigma/app/index]
    [09/23/2020][17:31:25][10516][7632][2454edc5-859d4fe1-0dc7a8a7-f0f478b1-43ec3a85-4f][requestConnection(): ][Get connection: {s}->https://<vApp ip>:8444, timeout = 180000]

    From SPS server.log we have following:-

    [23/Sep/2020:17:31:25-470] [ERROR] - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1967)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:331)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:325)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1688)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:226)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1082)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.Handshaker.process_record(Handshaker.java:1010)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1079)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1388)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1416)
    [23/Sep/2020:17:31:25-470] [ERROR] - at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1400)
    [23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.sso.smssl.socket.SMSSLSocketImpl.startHandshake(SMSSLSocketImpl.java:400)
    [23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.proxy.apache.httpclient.conn.factory.SPSSecureSocketFactory.connectSocket(Unknown Source)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.conn.scheme.SchemeLayeredSocketFactoryAdaptor2.connectSocket(SchemeLayeredSocketFactoryAdaptor2.java:62)
    [23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.proxy.apache.httpclient.conn.factory.SPSConnectionFactory.openConnection(Unknown Source)
    [23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.proxy.connectionpool.ConnectionCapsule.open(Unknown Source)
    [23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.proxy.connectionpool.impl.ConnectionPoolConnAdapter.open(Unknown Source)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
    [23/Sep/2020:17:31:25-470] [ERROR] - at com.ca.proxy.apache.httpclient.SPSClient.execute(Unknown Source)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.tigris.noodle.ProxyModule.proxyRequest(Unknown Source)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.tigris.noodle.Noodle.doGet(Unknown Source)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.tigris.noodle.Noodle.service(Unknown Source)
    [23/Sep/2020:17:31:25-470] [ERROR] - at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:742)
    [23/Sep/2020:17:31:25-470] [ERROR] - at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:484)


    We have imported the vApp server certificate in the ca bundle cert file of the instance and in MMC as well. Is there anything we have missed here ? Can anyone review and provide any input to us ?

    Thanks,
    Shashank



  • 2.  RE: How to buypass internal proxy of vApp with SPS and SM in place.

    Posted Sep 29, 2020 06:22 AM
    Hi Shashank,
    You have to add RootCA or eventually intermediate certificate to ca-bundle.cert.
    Add certificate only if it is self-signed.
    br
    Camil