error handling the Linux Access Gateway server certificate

  • 3859632
  • 19-Nov-2007
  • 26-Apr-2012


Novell Access Management 3 Linux Access Gateway
Novell Access Manager 3 Support Pack 1 Interim Release 1 applied


A Web application, running on WebSphere 5, tries to establish an SSL connection to a Linux Access Gateway (LAG) protected resource. During the LAG sends it's server certificate and trusted roots down to the application. The application should validate that and then send an application level request to the back end Web server via the LAG. In the above scenario, the Web application throws a "got class!!! bad certificate".

When going directly to a Web server with the exact same certificate installed, the client web application works fine.


Fixed with LAG update in Access Manager 3 Support Pack 1 Interim release 2 patch.

Looking at traces of the SSL handshake, the server certificate was sent down as expected. However, the intermediate and trusted root certificates that accompanied the server certificate were sent out of order. The server cert was issues by the intermediate, which in turn was issues by the trusted root certificate. The LAG sent the server certificate down, followed by the trusted root, and then by the intermediate certificate. The fix was to correct the order so that the intermediate was sent before the trusted root.