Administrative users cannot access the Mobility Admin console using VIP two factory authentication.  They are presented with a "User is not entitled to Mobility Suite" error message.

+0000,logname=aclog,level=ERROR,module=client,function=response,line=209,tenant=adam,username=,sessionid=6bxxt71i5m4kg45sy7xqgosf1on2lfgh,url=/appstore/saml2/vip_consumer,msgid=,func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=360:obj=x509-store:subj=X509_verify_cert:error=4:crypto library function failed:subj=/OU=Production VIP Manager Super Admin/O=VeriSign, Inc./CN=VIPLoginSuperAdmin2016;err=20;msg=unable to get local issuer certificate func=xmlSecOpenSSLX509StoreVerify:file=x509vfy.c:line=408:obj=x509-store:subj=unknown:error=71:certificate verification failed:err=20;msg=unable to get local issuer certificate func=xmlSecOpenSSLEvpSignatureVerify:file=signatures.c:line=346:obj=rsa-sha1:subj=EVP_VerifyFinal:error=18:data do not match:signature do not match
FAIL SignedInfo References (ok/all): 1/1 Manifests References (ok/all): 0/0 Error: failed to verify file "/vol1/nukona/tmp/tmpXp1U5_"

Note: The "/vol1/nukona/tmp/tmpXp1U5_” file name varies with each authentication attempt.

Symantec Mobility Suite 5.5 and earlier

VIP updated their client authentication signing certificates used to validate the VIP SAML assertion.

Important: Contact Symantec technical support to obtain the VeriSign_Identity_Protection_Root_CA.crt certificate.

Append the VeriSign_Identity_Protection_Root_CA.crt to the /etc/ssl/certs/ca-bundle.crt file on each front-end (FE).

1. Copy the attached VeriSign_Identity_Protection_Root_CA.crt file to each Mobility front-end (FE).
2. Append the /etc/ssl/certs/ca-bundle.crt with the VeriSign_Identity_Protection_Root_CA.crt with a command like:
   sudo cat VeriSign_Identity_Protection_Root_CA.crt >> /etc/ssl/certs/ca-bundle.crt

Note: There is no need to restart any services.