'Web Server trusted root' check not performed when communicating with secure web servers after upgrading to NAM 4.3

  • 7018317
  • 23-Nov-2016
  • 23-Nov-2016


NetIQ Access Manager 4.3
NetIQ Access Manager 4.2
NetIQ Access Gateway


Access Manager 4.3 setup and working well - users can authenticate against the Identity Server and access protected resources behind the Access Gateway (AG). Some of the protected resources are running on secure web servers where a validation of the trusted roots is enabled as part of the AG configuration ie. where 'Web Server trusted root' option is set to 'Any in reverse proxy trust store'.

After upgrading all components to NAM 4.3, admin added a new secure internal web server to accelerate with the AG. The server had a server certificate issued by an internal CA, but the CA cert was not exported and added to the truststore. As a test, users accessed the application on this secure web server and were unexpectedly allowed through. This should not have happened as the trusted root was not in the proxy trust store.


This is a bug with NAM 4.3. As a workaround, go to the Advanced Options of the newly added proxy service and add the following entry:

SSLProxyVerify on