search cancel

“User is not entitled to Mobility Suite” error when logging into the admin console using VIP two factor authentication

book

Article ID: 163555

calendar_today

Updated On:

Products

Mobility Suite

Issue/Introduction

Administrative users cannot access the Mobility Admin console using VIP two factory authentication.  They are presented with a "User is not entitled to Mobility Suite" error message.

+0000,logname=aclog,level=ERROR,module=client,function=response,line=209,tenant=adam,username=,sessionid=6bxxt71i5m4kg45sy7xqgosf1on2lfgh,url=/appstore/saml2/vip_consumer,msgid=,func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/OU=Production VIP Manager Super Admin/O=VeriSign, Inc./CN=VIPLoginSuperAdmin2016;err=20;msg=unable to get local issuer certificate func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=20;msg=unable to get local issuer certificate func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha1:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match
FAIL SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file "/vol1/nukona/tmp/tmpXp1U5_"

Note: The "/vol1/nukona/tmp/tmpXp1U5_” file name varies with each authentication attempt.

Environment

Symantec Mobility Suite 5.5 and earlier

Cause

VIP updated their client authentication signing certificates used to validate the VIP SAML assertion.

Resolution

Important: Contact Symantec technical support to obtain the VeriSign_Identity_Protection_Root_CA.crt certificate.

Append the VeriSign_Identity_Protection_Root_CA.crt to the /etc/ssl/certs/ca-bundle.crt file on each front-end (FE).

  1. Copy the attached VeriSign_Identity_Protection_Root_CA.crt file to each Mobility front-end (FE).
  2. Append the /etc/ssl/certs/ca-bundle.crt with the VeriSign_Identity_Protection_Root_CA.crt with a command like:
    sudo cat VeriSign_Identity_Protection_Root_CA.crt >> /etc/ssl/certs/ca-bundle.crt

Note: There is no need to restart any services.  

Attachments

VeriSign_Identity_Protection_Root_CA.crt get_app