Environment
Novell Access Management 3 Linux Access Gateway
Novell Access Manager 3 Support Pack 1 Interim Release 1 applied
Situation
A Web application, running on WebSphere 5, tries to establish an
SSL connection to a Linux Access Gateway (LAG) protected resource.
During the LAG sends it's server certificate and trusted roots down
to the application. The application should validate that and then
send an application level request to the back end Web server via
the LAG. In the above scenario, the Web application throws a "got
class javax.net.ssl.SSLHandshakeException!!! bad
certificate".
When going directly to a Web server with the exact same certificate installed, the client web application works fine.
When going directly to a Web server with the exact same certificate installed, the client web application works fine.
Resolution
Fixed with LAG update in Access Manager 3 Support Pack 1 Interim
release 2 patch.
Looking at traces of the SSL handshake, the server certificate was sent down as expected. However, the intermediate and trusted root certificates that accompanied the server certificate were sent out of order. The server cert was issues by the intermediate, which in turn was issues by the trusted root certificate. The LAG sent the server certificate down, followed by the trusted root, and then by the intermediate certificate. The fix was to correct the order so that the intermediate was sent before the trusted root.
Looking at traces of the SSL handshake, the server certificate was sent down as expected. However, the intermediate and trusted root certificates that accompanied the server certificate were sent out of order. The server cert was issues by the intermediate, which in turn was issues by the trusted root certificate. The LAG sent the server certificate down, followed by the trusted root, and then by the intermediate certificate. The fix was to correct the order so that the intermediate was sent before the trusted root.