SSL Error caused by CA Adapter 9.1SP1

book

Article ID: 198063

calendar_today

Updated On:

Products

CA Advanced Authentication - Strong Authentication (AuthMinder / WebFort) CA Strong Authentication CA Rapid App Security CA Risk Authentication CA Advanced Authentication

Issue/Introduction

We're using CAAA combined with siteminder(12.8SP1).
Recently we tried to upgrade the siteminder policy server's CA adapter from CP1 to SP1.
And we faced SSL error on siteminder's arcotadaptershim.log.

The massage indicated that some SSL connection trouble happened between policy server and state manager.

==
Fri Aug 21 17:43:35.169 2020 FATAL:   pid 26592 tid 26613: 0 08/21/20 17:43:35.169 FATAL CORE 26613 00026592 - Failure in POSTing request to State Manager: [SSL Error: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak]
==

After facing this, we downgraded the adapter from SP1 to CP1 and the error has been eliminated.

The certs we used with SP1 is exactly the same ones we used with CP1. 


Cause

We have upgraded the OpenSSL version in 9.1 SP1 to increase the security standards in our product and that is causing this issue to happen. Here is a good explanation to this problem -

https://stackoverflow.com/questions/52218876/how-to-fix-ssl-issue-ssl-ctx-use-certificate-ca-md-too-weak-on-python-zeep

Environment

Release : 9.1

Component : RiskMinder(Arcot RiskFort)

Resolution

In adaptershim.ini there are entries pointed to MD5 certs.

Please comment out the below ones and this should take care of the issue.
※We don't use 2 way ssl hand shake.

#ArcotSMTrustedRootPEM
#ArcotSMClientSSLCert