"Error Validating X509 Certificate of Trusted Provider" message after adding SAML2 Identity Provider (IDP) to NAM SAML2 configuration

  • 7015219
  • 18-Jun-2014
  • 25-Mar-2015

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Manager Admin Console
NetIQ Access Manager Identity Server setup for SAML2

Situation

Trying to establish a trust relationship between NAM, acting as the SAML2 Service Provider, and the NetIQ SocialAccess appliance acting as the SAML2 Identity Server. After importing the metadata, the NAM Identity server reports a yellow health status with the following error:

<b>System Event Time:</b> 2014-06-04 17:40:43 <b>Age:</b> 20H 1M 421Ms <b>Level:</b> Functional Loss<br><b>Comments:</b><br>Unable to validate SAML2 Trusted Identity Provider. The trusted relationship with this entity will not be functional!<br>Error Validating X509 Certificate of Trusted Provider<br>Trusted Provider Type: SAML2 Trusted Identity Provider<br>Trusted Provider Id: https://saapp.netiq.com/osp/a/t1/auth/saml2/metadata<br>Error Validating X509 Signing Certificate<br>X509 Certificate Version: 3<br>X509 Certificate Subject: CN=ag4csrv1 O=Novell Inc ST=UT C=US<br>X509 Certificate Issuer: CN=ag4csrv1 O=Novell Inc ST=UT C=US<br>X509 Certificate Serial Number: 10974212810643347272<br>X509 Certificate Start Date: 2014-05-26 21:12:33<br>X509 Certificate Expiration Date: 2016-05-25 21:12:33<br>X509 Certificate Validation Root Exception: com.novell.nidp.NIDPException: class configured for CertPathBuilder: org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi not a CertPathBuilder Root Cause: java.security.NoSuchAlgorithmException: class configured for CertPathBuilder: org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi not a CertPathBuilder

The appropriate trusted roots are added to the NIDP-Trust store.

Resolution

Disable OCSP check on NAM by doing the following:
 
a) modify  /opt/novell/nam/idp/conf/tomcat7.conf and add
 
JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.serverOCSPCRL=false"
 
b) Restart IDP server using 'rcnovell-idp restart'