Environment
Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 Linux Novell Identity Server
Novell Access Management 3 Access Administration
Novell Access Management 3 Netware Access Gateway
Situation
Installed and configured a Novell Identity (IDP) Server and Linux
Access Gateway to talk HTTPS to browser. Firefox browsers and
Internet Explorer 6 (IE6) worked fine. The user was presented with
the IDP login page and after a successful authentication, the
secured protected resource was displayed.
An Internet Explorer 7 (IE7) browser was then tested and the IDP login page was never displayed. Traces showed that the SSL handshake to the IDP server from the browser would fail (after a full handshake, an SSL alert was sent and no subsequent partial handshake would take place, something that always took place with IE6). Going direct to the IDP server from the same browser worked fine.
An Internet Explorer 7 (IE7) browser was then tested and the IDP login page was never displayed. Traces showed that the SSL handshake to the IDP server from the browser would fail (after a full handshake, an SSL alert was sent and no subsequent partial handshake would take place, something that always took place with IE6). Going direct to the IDP server from the same browser worked fine.
Resolution
Make sure that the trusted root certificate for the IDP server
certificate is imported into the browser.
When IE7 detects a server certificate that is signed by an unrecognised source (our tests were using a Novell CA), it displays an error and a warning that the user must accept before continuing. By importing the trusted root certificate for the Novell CA, we bypass this check and get to the IDP login page. Doing this check however causes IE7 to fail in it's SSL handshake to the back end IDP server.
Problem occured regardless of whether TLS 1 was enabled or not.
When IE7 detects a server certificate that is signed by an unrecognised source (our tests were using a Novell CA), it displays an error and a warning that the user must accept before continuing. By importing the trusted root certificate for the Novell CA, we bypass this check and get to the IDP login page. Doing this check however causes IE7 to fail in it's SSL handshake to the back end IDP server.
Problem occured regardless of whether TLS 1 was enabled or not.