Access Manager Unable to load metadata for Embedded Service Provider error 100101044

Access Manager installed and configured. When users access a protected resource on the Linux Access Gateway, the error code 100101044 was returned on the browser. When the protected resource was defined as a public resource (no contract assigned), all worked fine.

Going to the IDP configuration and enabling IDP more advanced logging (application component log set to configuration), the resulting catalina.out file on the Linux Access Gateway showed the following entry:

SEVERE: Unable to load metadata for Embedded Service Provider: https://idp.cashell.com/nidp/idff/metadata, error: java.security.cert.CertificateException: Untrusted Certificate-chain


This would indicate an issue with the certificates sent down by the IDP server during the metadata exchange - the trusted root certificates for the IDP server certificate must be loaded in the LAG Proxy trusted root certificate store. Since the certificates were auto imported, we assumed they were. Looking at the ics_dyn.log file on the LAG for certificate related information, we got the following interesting entries ... a lot of 'trusted root not found' errors!

May 1 09:20:25 appssitsix LINUX_AG: TIES : 0 : Trusted root'/opt/novell/conf/keys/tr/idpcerttr.der' not found, but proceeding with other trusted roots

Manually added the trusted root certificates to the Trust Store fixed the problem. Seems like the 3 certificates were not successfully imported by the auto-import feature.