Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 3.2.1
NetIQ Access Manager 3.2.1
Situation
- NIDP x509 authentication class, method, contract has been configured
- Browser client does not store any user certificate
- running the x509 authentication will cause the browser client to return an internal connection error message:
- Internet Explorer:
"Internet Explorer cannot display the webpage" - Firefox:
"Secure Connection Failed
An error occurred during a connection to idpa31.kgast.nam.com:8443.
SSL peer cannot verify your certificate.
(Error code: ssl_error_bad_cert_alert)"
Resolution
- edit "/opt/novell/nam/idp/conf/server.xml"
- change the NIDP Connector directive "clientAuth" from "false" to "want"
Example:
------------------------------------------------------------
<Connector
NIDP_Name="connector"
SSLEnabled="true"
URIEncoding="utf-8"
acceptCount="100"
address="10.168.10.100"
ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA"
clientAuth="want"
disableUploadTimeout="true"
enableLookups="false"
keystoreFile="/opt/novell/devman/jcc/certs/idp/connector.keystore"
keystorePass="o8stcJH2E34Tikr"
maxThreads="600"
minSpareThreads="5"
port="8443"
scheme="https" secure="true"
sslImplementationName="com.novell.nidp.common.util.net.server.NIDPSSLImplementation"
sslProtocol="TLS" />
------------------------------------------------------------
- edit "/opt/novell/nids/lib/webapp/jsp/x509err.jsp"
- add a condition to catch the error code and substitude the the error variable with a text of your choice
------------------------------------------------------------
if (error!= null && error.startsWith("NIDPLOGGING.200104001"))
{
error = "[Text of Your Choice]";
}
------------------------------------------------------------
Example:
------------------------------------------------------------
<%
ContentHandler handler = new ContentHandler(request,response);
String strTypeError = handler.getResource(JSPResDesc.MSG_MESSAGE_TYPE_ERROR);
String error = (String) request.getAttribute(NIDPConstants.ATTR_ERR);
String errcode = (String) request.getAttribute("errcode");
String cause = (String) request.getAttribute(NIDPConstants.ATTR_CAUSE);
String height = "460";
if (error!= null && error.startsWith("NIDPLOGGING.200104001"))
{
error = "No User Certificate has been provided";
}
if (null == error)
{
error = (String) request.getParameter(NIDPConstants.ATTR_ERR);
}
if (null == cause)
{
cause = (String) request.getParameter(NIDPConstants.ATTR_CAUSE);
}
%>
------------------------------------------------------------
- restart your NIDP server: "/etc/init.d/novell-idp restart"
Additional Information
Check out the section "Configuring X.509 Authentication to Provide Access Manager Error Message" from
https://www.netiq.com/documentation/access-manager-41/admin/data/b1tvhkg.html#x509validation for more details.
https://www.netiq.com/documentation/access-manager-41/admin/data/b1tvhkg.html#x509validation for more details.