Environment
NetIQ Access Manager 4.3
NetIQ Access Manager 4.2
NetIQ Access Gateway
NetIQ Access Manager 4.2
NetIQ Access Gateway
Situation
Access Manager 4.3 setup and working well - users can authenticate
against the Identity Server and access protected resources behind the
Access Gateway (AG). Some of the protected resources are running on
secure web servers where a validation of the trusted roots is enabled as
part of the AG configuration ie. where 'Web Server trusted root' option
is set to 'Any in reverse proxy trust store'.
After upgrading all components to NAM 4.3, admin added a new secure internal web server to accelerate with the AG. The server had a server certificate issued by an internal CA, but the CA cert was not exported and added to the truststore. As a test, users accessed the application on this secure web server and were unexpectedly allowed through. This should not have happened as the trusted root was not in the proxy trust store.
After upgrading all components to NAM 4.3, admin added a new secure internal web server to accelerate with the AG. The server had a server certificate issued by an internal CA, but the CA cert was not exported and added to the truststore. As a test, users accessed the application on this secure web server and were unexpectedly allowed through. This should not have happened as the trusted root was not in the proxy trust store.
Resolution
This is a bug with NAM 4.3. As a workaround, go to the Advanced Options of the newly added proxy service and add the following entry:
SSLProxyVerify on
SSLProxyVerify on