ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

TCP Connection RST response from External AG server

book

Article ID: 192321

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

SSL is enabled on Access Gateway server.
When a user is trying to access Apache Webserver based application via Access Gateway they are getting "Site can't be accessed" error.
Httpd error log contains the following messages:

[Mon Jun 01 15:50:44.900449 2020] [ssl:error] [pid 6672:tid 1776] [client XXX.XXX.XXX.XXX:38914] AH02039: Certificate Verification: Error (20): unable to get local issuer certificate

Cause

The problem was that a customer had SSLVerifyClient value set to "optional" on Apache side.

Environment

Release : 12.7

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

Set SSLVerifyClient to "optional_no_ca", or to "none" to completely disable it.