Environment
NetIQ Access Manager 4.0
NetIQ Access Manager 4.1
NetIQ Access Manager Identity Server setup to authenticate users using x509 class
Certificate errors customised using https://www.netiq.com/documentation/netiqaccessmanager4/identityserverhelp/data/x509validation.html
NetIQ Access Manager 4.1
NetIQ Access Manager Identity Server setup to authenticate users using x509 class
Certificate errors customised using https://www.netiq.com/documentation/netiqaccessmanager4/identityserverhelp/data/x509validation.html
Situation
Access Manager 4.0 setup and working well. Identity server predominantly authenticating users using x509 class where the certificate error pages have been customised by adding a new connector on TCP 8448 as per the docs (adding clientauth=want in the server.xml connector). The goal of this change was to report better error messages when users using IE failed to submit any certificate.
After upgrading to 4.1 customer, users that successfully authenticated with their certs in 4.0 failed. Firefox browsers would simply throw the "ssl_error_bad_cert_alert" message, instead of establishing the connection and getting a valid Access Manager error from the Identity Server.
After upgrading to 4.1 customer, users that successfully authenticated with their certs in 4.0 failed. Firefox browsers would simply throw the "ssl_error_bad_cert_alert" message, instead of establishing the connection and getting a valid Access Manager error from the Identity Server.
Resolution
Add the following entry into the connector settings:
protocol="org.apache.coyote.http11.Http11Protocol"
The complete entry should look like the following (change address, port, keystore passwords to match your setup)
<Connector NIDP_Name="connector" SSLEnabled="true" URIEncoding="utf-8" acceptCount="100" address="151.155.132.193" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA" clientAuth="want" disableUploadTimeout="true" enableLookups="false" keystoreFile="/opt/novell/devman/jcc/certs/idp/connector.keystore" keystorePass="6p0hrnlZ4cKiaVQ" maxThreads="600" minSpareThreads="5" port="8448" scheme="https" secure="true" sslImplementationName="com.novell.nidp.common.util.net.server.NIDPSSLImplementation" protocol="org.apache.coyote.http11.Http11Protocol" sslProtocol="TLS"/>
protocol="org.apache.coyote.http11.Http11Protocol"
The complete entry should look like the following (change address, port, keystore passwords to match your setup)
<Connector NIDP_Name="connector" SSLEnabled="true" URIEncoding="utf-8" acceptCount="100" address="151.155.132.193" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA" clientAuth="want" disableUploadTimeout="true" enableLookups="false" keystoreFile="/opt/novell/devman/jcc/certs/idp/connector.keystore" keystorePass="6p0hrnlZ4cKiaVQ" maxThreads="600" minSpareThreads="5" port="8448" scheme="https" secure="true" sslImplementationName="com.novell.nidp.common.util.net.server.NIDPSSLImplementation" protocol="org.apache.coyote.http11.Http11Protocol" sslProtocol="TLS"/>