Environment
Novell Access Manager 3.1
Situation
- Novell Access Manager Linux Access Gateway
- Linux Access Gateway has been configured to make use of the ".doNotUseTLS" in order to avoid running TLS 1.0 SSL handshake messages. This might be requires with web application server (like Oracle application servers) not supporting any TLS 1.0
Resolution
In order o to force the NIDP server to make use of SSL3 apply the following change on the NIDP (running on SLES) server and the LAG:
- change in to the "/var/opt/novell/tomcat5/conf" directory
- create a backup copy of the existing "tomcat5.conf" file
- vi tomcat5.conf
- add the following line to the end of the file:
JAVA_OPTS="${JAVA_OPTS} -Dhttps.protocols="SSLv3 - the following line to the end of the file
- save the file and restart tomcat "/etc/init.d/novell-tomcat5" restart
- open the explorer and navigate to the "C:\Program Files (x86)\Novell\Tomcat\bin" directory
- run the tomcat5w tomcat configuration tool
- open the JAVA tab
- move to the end of the Java Options list
- add the "-Dhttps.protocols=SSL3" option
- save the changes and restart tomcat
Cause
Per default the Novell Access Manager Identity Provider runs the
strongest available SSL options using TLS 1.0 which will fail if the LAG
has been configured for SSL2/3 only with the above mentioned touch file.
Additional Information
catalina.out reports:
<amLogEntry> 2012-08-30T09:33:28Z INFO NIDS Application:
AM#500105025:
AMDEVICEID#8347FE17FBCB5AF6:
AMAUTHID#E32C056279179532FD81AC1B20CFF30E: IDP isrequesting metadata from ESP
https://esp.ecma.corp:443/nesp/idff/metadata
</amLogEntry>
<amLogEntry> 2012-08-30T09:33:28Z VERBOSE NIDS Application:
Attempting to connect to URL: https://esp.ecma.corp:443/nesp/idff/metadata via GET
</amLogEntry>
<amLogEntry> 2012-08-30T09:33:28Z DEBUG NIDS Application:
Method: URLUtil.connectToURL
Thread: http-212.246.141.142-8443-Processor8
Error connecting to URL Received fatal alert: bad_record_mac
</amLogEntry>
<amLogEntry> 2012-08-30T09:33:28Z SEVERE NIDS IDFF:
AM#100106001:
AMDEVICEID#8347FE17FBCB5AF6:
Unable to load metadata for Embedded ServiceProvider: https://esp.ecma.corp:443/nesp/idff/metadata, error:
Received fatal alert: bad_record_mac
</amLogEntry>
<amLogEntry> 2012-08-30T09:33:28Z DEBUG NIDS Application:
Method: CacheMap.trace
Thread: http-212.246.141.142-8443-Processor8
Retrieval of object com.novell.nidp.servlets.NIDPServletSession@17e0d93 from cache session succeeded using key E32C056279179532FD81AC1B20CFF30E. Cache size is 2
</amLogEntry>
<amLogEntry> 2012-08-30T09:33:28Z INFO NIDS Application:
AM#500105025:
AMDEVICEID#8347FE17FBCB5AF6:
AMAUTHID#E32C056279179532FD81AC1B20CFF30E: IDP isrequesting metadata from ESP
https://esp.ecma.corp:443/nesp/idff/metadata
</amLogEntry>
<amLogEntry> 2012-08-30T09:33:28Z VERBOSE NIDS Application:
Attempting to connect to URL: https://esp.ecma.corp:443/nesp/idff/metadata via GET
</amLogEntry>
<amLogEntry> 2012-08-30T09:33:28Z DEBUG NIDS Application:
Method: URLUtil.connectToURL
Thread: http-212.246.141.142-8443-Processor8
Error connecting to URL Received fatal alert: bad_record_mac
</amLogEntry>
<amLogEntry> 2012-08-30T09:33:28Z SEVERE NIDS IDFF:
AM#100106001:
AMDEVICEID#8347FE17FBCB5AF6:
Unable to load metadata for Embedded ServiceProvider: https://esp.ecma.corp:443/nesp/idff/metadata, error:
Received fatal alert: bad_record_mac
</amLogEntry>
<amLogEntry> 2012-08-30T09:33:28Z DEBUG NIDS Application:
Method: CacheMap.trace
Thread: http-212.246.141.142-8443-Processor8
Retrieval of object com.novell.nidp.servlets.NIDPServletSession@17e0d93 from cache session succeeded using key E32C056279179532FD81AC1B20CFF30E. Cache size is 2
</amLogEntry>