x509 Authentication with NAM-Appliance stops working after upgrade from 4.4.4 to 4.5

  • Document ID:7024026
  • Creation Date:22-Jul-2019
  • Modified Date:22-Jul-2019
    • Micro Focus Products:
      Access Manager (NAM)

Environment

  • Access Manager 4.5
  • Access Manager Appliance (Single Box Solution)

Situation

  • x509 Authentication with NAM-Appliance stops working after upgrade from 4.4.4 to 4.5

  • User Certificate cannot be retrieved from the browser client reporting: "Error: Could not get client certificate."

  • catalina.out reports:
    ++++++++++++++++++++++++++++++++++++++++++++++++++
    Warning: Invalid resource key: X509 Redirection Host is configured to : null. No prefix!
    <amLogEntry> 2019-07-04T14:08:52Z DEBUG NIDS Application: X509 Redirection Host is configured to : null </amLogEntry>

    Warning: Invalid resource key: Error calculating the redirect URLs. No prefix!
    <amLogEntry> 2019-07-04T14:08:52Z WARNING NIDS Application: Error calculating the redirect URLs </amLogEntry>

    <amLogEntry> 2019-07-04T14:08:52Z DEBUG NIDS Application:
    Method: X509Class.validateX509
    Thread: ajp-nio-127.0.0.1-9019-exec-11
    This X509 authentication request was NOT proxied from another cluster member. Obtaining client X509 certificates from client using this cluster member! </amLogEntry>

    <amLogEntry> 2019-07-04T14:08:52Z DEBUG NIDS Application:
    Method: X509Class.validateX509
    Thread: ajp-nio-127.0.0.1-9019-exec-11
    Renegotiating with client for X509 certificates! </amLogEntry>

    <amLogEntry> 2019-07-04T14:08:52Z DEBUG NIDS Application:
    Method: X509Class.validateX509
    Thread: ajp-nio-127.0.0.1-9019-exec-11
    Could not get Client Certificate! </amLogEntry>

    <amLogEntry> 2019-07-04T14:08:52Z SEVERE NIDS Application: AM#200104001: AMDEVICEID#9CBE4302EF3DDAA3: AMAUTHID#193022262a451fe654b930762be708f65db4fbea1672cd0117c
    2d00bbbd75602:  Could not get client certificate.     </amLogEntry>
    ++++++++++++++++++++++++++++++++++++++++++++++++++

Resolution


  • This issue has been addressed to engineering and will be fixed with NAM 4.5 SP1

  • A possible workaround is to configure the Access Gateway to pass the User Certificate to the NIDP server making use of a HTTP header as documented at: https://www.netiq.com/documentation/access-manager-45-appliance/admin/data/x509validation.html.

  • Select Read certificate from http header and specify the header name. This configuration is required when Identity Server is configured as a public resource behind a reverse proxy other than an Access Manager Access Gateway reverse proxy. If the proxy is configured to send the user certificate to Identity Server as part of HTTP header in the PEM encoded data, Identity Server can read this header value and completes X.509 authentication. For example, if Identity Server is behind Apache, add the following advanced Apache configuration with the rewrite module to send the user certificate to Identity Server through a custom header called SSL-Client-Cert.
 SSLVerifyClient optional_no_ca
 SSLVerifyDepth 10
 RequestHeader set SSL-Client-Cert "%{SSL_CLIENT_CERT}s“

Additional Information

With the NAM Appliance the IDP server will be protected by the Access Gateway. As any SSL Mutual Authentication will run as end to end security it require the Access Gateway to pass the certificate on to the IDP Server using an alternative way. This will be achieved per default making use of the default AJP connector created by the NAM-Service reverse proxy using the Apache ProxyPass directive:
++++++++++++++++++++++++++++++++++++++++++++++++++
ProxyPass /nidp/nidpsecure ajp://127.0.0.1:9019/nidp
ProxyPass /nidp ajp://127.0.0.1:9019/nidp
++++++++++++++++++++++++++++++++++++++++++++++++++
The user certificate will be passed as AJP Payload while calling the NIDP login URI: "/nidp/app/login"
++++++++++++++++++++++++++++++++++++++++++++++++++
Apache JServ Protocol v1.3
    Magic: 1234
    Length: 683
    Code: FORWARD REQUEST (2)
    Method: GET (2)
    Version: HTTP/1.1
    URI: /nidp/app/login
    RADDR: 192.168.0.13
    RHOST:
    SRV: nam.kgast.local
    PORT: 443
    SSLP: True
    NHDR: 10
    nam.kgast.local
    Keep-Alive
    https://nam.kgast.local/nidp/jsp/main.jsp?id=X509&sid=0
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134
    */*
    X-Requested-With: XMLHttpRequest
    de-DE
    gzip, br
    JSESSIONID=028B350CCDD8215C15B94E3AE0961502
    Via: 1.1 nam.kgast.local (Access Gateway-ag-7876E6E391A54344-)
    public
    id=X509&sid=0&option=credential&sid=0&uiDestination=contentDiv
    ECDHE-RSA-AES256-GCM-SHA384
    SSL-Key-Size: 256
    AJP_SSL_PROTOCOL: TLSv1.2
    AJP_REMOTE_PORT: 64358
    AJP_LOCAL_ADDR: 192.168.0.200
-----BEGIN CERTIFICATE-----
MIIFFTCCA/2gAwIBAgIUQXvaVpH76MfUBUwPUkpITY9yzfswDQYJKoZIhvcNAQEL
BQAwMjEaMBgGA1UECxMRT3JnYW5pemF0aW9uYWwgQ0ExFDASBgNVBAoUC2lkcGEz
MV90cmVlMB4XDTE5MDEzMDA2NTMw************************************
**********************
-----END CERTIFICATE-----
   ECDHE-RSA-AES256-GCM-SHA384
   AJP_SSL_PROTOCOL TLSv1.2
++++++++++++++++++++++++++++++++++++++++++++++++++

In the catalina.out you will see the IDP server triggers the Access Gateway to run an SSL renegotiation in order to retrieve user certificate:
++++++++++++++++++++++++++++++++++++++++++++++++++
<amLogEntry> 2019-07-22T08:17:41Z DEBUG NIDS Application:
Method: X509Class.validateX509
Thread: ajp-nio-127.0.0.1-9019-exec-20
Renegotiating with client for X509 certificates! </amLogEntry>
++++++++++++++++++++++++++++++++++++++++++++++++++