Access Manager error 100101043 - IDP is unable to load ESP metadata since applying the ".doNotUseTLS touch file on the LAG

  • 7010750
  • 07-Sep-2012
  • 07-Sep-2012

Environment

Novell Access Manager 3.1


Situation

  • Novell Access Manager Linux Access Gateway
  • Linux Access Gateway has been configured to make use of the ".doNotUseTLS" in order to avoid running TLS 1.0 SSL handshake messages. This might be requires with web application server (like Oracle application servers) not supporting any TLS 1.0

Resolution

In order o to force the NIDP server to make use of SSL3 apply the following change on the NIDP (running on SLES) server and the LAG:
  • change in to the "/var/opt/novell/tomcat5/conf" directory
  • create a backup copy of the existing "tomcat5.conf" file
  • vi tomcat5.conf
  • add the following line to the end of the file:
    JAVA_OPTS="${JAVA_OPTS} -Dhttps.protocols="SSLv3
  • the following line to the end of the file
  • save the file and restart tomcat "/etc/init.d/novell-tomcat5" restart
For an NIDP server running on Windows
  • open the explorer and navigate to the "C:\Program Files (x86)\Novell\Tomcat\bin" directory
  • run the tomcat5w tomcat configuration tool
  • open the JAVA tab
  • move to the end of the Java Options list
  • add the "-Dhttps.protocols=SSL3" option
  • save the changes and restart tomcat

Cause

Per default the Novell Access Manager Identity Provider runs the strongest available SSL options using TLS 1.0 which will fail if the LAG has been configured for SSL2/3 only with the above mentioned touch file.

Additional Information

catalina.out reports:

<amLogEntry> 2012-08-30T09:33:28Z INFO NIDS Application:
  AM#500105025:
   AMDEVICEID#8347FE17FBCB5AF6:
   AMAUTHID#E32C056279179532FD81AC1B20CFF30E:  IDP isrequesting metadata from ESP
   https://esp.ecma.corp:443/nesp/idff/metadata
</amLogEntry>

<amLogEntry> 2012-08-30T09:33:28Z VERBOSE NIDS Application:
 Attempting to connect to URL: https://esp.ecma.corp:443/nesp/idff/metadata via GET
</amLogEntry>

<amLogEntry> 2012-08-30T09:33:28Z DEBUG NIDS Application:
  Method: URLUtil.connectToURL
  Thread: http-212.246.141.142-8443-Processor8
  Error connecting to URL Received fatal alert: bad_record_mac
</amLogEntry>

<amLogEntry> 2012-08-30T09:33:28Z SEVERE NIDS IDFF:
  AM#100106001:
   AMDEVICEID#8347FE17FBCB5AF6:
   Unable to load metadata for Embedded ServiceProvider: https://esp.ecma.corp:443/nesp/idff/metadata, error:
   Received fatal alert: bad_record_mac
</amLogEntry>

<amLogEntry> 2012-08-30T09:33:28Z DEBUG NIDS Application:
  Method: CacheMap.trace
  Thread: http-212.246.141.142-8443-Processor8

  Retrieval of object com.novell.nidp.servlets.NIDPServletSession@17e0d93 from cache session succeeded using key E32C056279179532FD81AC1B20CFF30E.  Cache size is 2
 </amLogEntry>

Feedback service temporarily unavailable. For content questions or problems, please contact Support.