SSL Mutual Authentication with web application server fails after migration from NAM 3.1 LAG to NAM 3.2 Access Gateway Appliance

  • 7013247
  • 11-Sep-2013
  • 11-Sep-2013

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 3.2.2
NetIQ Access Manager 3.2.2 Access Gateway Appliance

Situation

  • Setup has been migrated from Novell Access Manager 3.1.4 to NetIQ Access Manager 3.2
  • NAM 3.1 Linux Access Gateways have been migrated to NAM 3.2 Access Gateway Appliance
  • No configuration changes have been configured
  • running the proxy in debug mode returns the following error in the error_log file

    httpd[27244]: [info] SSL Proxy connect failed
    httpd[27244]: [info] SSL Library Error: 336151570 error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate Subject CN in certificate not server name or identical to CA!?
    httpd[27244]: [info] Connection closed to child 0 with abortive shutdown (server www.netiq.com:443)
    httpd[27244]: [error] (502)Unknown error 502: proxy: pass request body failed to 10.0.1.120:8443 (10.0.1.120)

Resolution

Add the required CA Certificates to your web application server (usually as trusted root) in order to send them down to the client included with the SSL Server Hello, Certificate Request distinguished name list. Please check your web application server documentation for any details on how to achieve this.Certificate Request distinguished name list

Cause

The web application server did no send the required root certificate in the SSL Server Hello, Certificate Request distinguished name list which would match the configured client certificate at the Access Gateway Appliance Proxy Service.

With the Linux Access Gateway this did not have any impact as the configured client certificate has been always send in response to a SSL Server Hello, Certificate Request.

With the new Apache based proxy services there has to be a matching  CA certificate chain in the Certificate Request distinguished name list which matches the issuer of the client certificate

Feedback service temporarily unavailable. For content questions or problems, please contact Support.