TCP Connection RST response from External AG server

book

Article ID: 192321

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

SSL is enabled on Access Gateway server.
When a user is trying to access Apache Webserver based application via Access Gateway they are getting "Site can't be accessed" error.
Httpd error log contains the following messages:

[Mon Jun 01 15:50:44.900449 2020] [ssl:error] [pid 6672:tid 1776] [client XXX.XXX.XXX.XXX:38914] AH02039: Certificate Verification: Error (20): unable to get local issuer certificate

Cause

The problem was that a customer had SSLVerifyClient value set to "optional" on Apache side.

Environment

Release : 12.7

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

Set SSLVerifyClient to "optional_no_ca", or to "none" to completely disable it.