No user friendly error message with NetIQ Access Manager x509 authentication if the browser client does not provide any user certificate

  • 7012488
  • 28-May-2013
  • 04-Aug-2015

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2.1

Situation

  • NIDP x509 authentication class, method, contract has been configured

  • Browser client does not store any user certificate

  • running the x509 authentication will cause the browser client to return an internal connection error message:

    • Internet Explorer:
      "Internet Explorer cannot display the webpage"

    • Firefox:
      "Secure Connection Failed
      An error occurred during a connection to idpa31.kgast.nam.com:8443.
      SSL peer cannot verify your certificate.
      (Error code: ssl_error_bad_cert_alert)"

Resolution

  • edit "/opt/novell/nam/idp/conf/server.xml"
  • change the NIDP Connector directive "clientAuth" from "false" to "want"

    Example:
    ------------------------------------------------------------
     <Connector
        NIDP_Name="connector"
        SSLEnabled="true"
        URIEncoding="utf-8"
        acceptCount="100"
        address="10.168.10.100"
        ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA"
        clientAuth="want"
        disableUploadTimeout="true"
        enableLookups="false"
        keystoreFile="/opt/novell/devman/jcc/certs/idp/connector.keystore"
        keystorePass="o8stcJH2E34Tikr"
        maxThreads="600"
        minSpareThreads="5"
        port="8443"
        scheme="https" secure="true"
        sslImplementationName="com.novell.nidp.common.util.net.server.NIDPSSLImplementation"
        sslProtocol="TLS" />
      ------------------------------------------------------------
  • edit "/opt/novell/nids/lib/webapp/jsp/x509err.jsp"
  • add a condition to catch the error code and substitude the the error variable with a text of your choice
    ------------------------------------------------------------
      if (error!= null && error.startsWith("NIDPLOGGING.200104001"))
        {
         error = "[Text of Your Choice]";
        }
    ------------------------------------------------------------

    Example:
    ------------------------------------------------------------
      <%
          ContentHandler handler = new ContentHandler(request,response);
          String strTypeError = handler.getResource(JSPResDesc.MSG_MESSAGE_TYPE_ERROR);
          String error     = (String) request.getAttribute(NIDPConstants.ATTR_ERR);
          String errcode   = (String) request.getAttribute("errcode");
          String cause     = (String) request.getAttribute(NIDPConstants.ATTR_CAUSE);
          String height = "460";

          if (error!= null && error.startsWith("NIDPLOGGING.200104001"))
          {
              error = "No User Certificate has been provided";
          }
          if (null == error)
          {
              error = (String) request.getParameter(NIDPConstants.ATTR_ERR);
          }
          if (null == cause)
          {
              cause = (String) request.getParameter(NIDPConstants.ATTR_CAUSE);
          }   
      %>

      ------------------------------------------------------------
     
  • restart your NIDP server: "/etc/init.d/novell-idp restart"

Additional Information

Check out the section "Configuring X.509 Authentication to Provide Access Manager Error Message" from
https://www.netiq.com/documentation/access-manager-41/admin/data/b1tvhkg.html#x509validation for more details.