Configure an External Administrator Store: An error occurred while updating the list of trusted CA certificates. Please ensure the trusted certificate you are using is valid.

search cancel

Configure an External Administrator Store: An error occurred while updating the list of trusted CA certificates. Please ensure the trusted certificate you are using is valid.

book

Article ID: 215438

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

When configuring an External Administrator Store using admin ui wizard, gets error on screen:

"An error occurred while updating the list of trusted CA certificates. Please ensure the trusted certificate you are using is valid. If the problem persists, check the error logs for additional details."

Click on Show Certificates, nothing is there.

Environment

Release : 12.8

Component : SITEMINDER WAM UI

Cause

(For SSL communication only) If you are configuring an SSL connection, select Use SSL and upload a Certificate Authority (CA) certificate associated with the directory server.

Admin ui loads trusted CA certificates into default JBoss trustStore.jks under ~siteminderui/siteminder/adminui/standalone/configuration.

In order to gain access to the trustStore.jks, it needs password.

Out of box, this is not enabled on JBoss.

Import new root CA:
keytool -import -trustcacerts -alias <alias> -keystore /opt/siteminderui/siteminder/adminui/standalone/configuration/trustStore.jks -file <RootCA.cer>

List keystore to check it is there:
keytool -list -v -keystore /opt/siteminderui/siteminder/adminui/standalone/configuration/trustStore.jks -storepass changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: rootca
Creation date: May 18, 2020
Entry type: trustedCertEntry

Owner: CN=dc-LOD, DC=dc, DC=com
Issuer: CN=dc-LOD, DC=dc, DC=com
Serial number: 1dbc9821.......
Valid from: Thu Sep 26 11:30:03 PDT 2019 until:......
Certificate fingerprints:
MD5: FA:70:03:69:B5:6E:5B:A6:2F:22:A3:........

...

Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

...

Resolution

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/known-issues/known-issues-for-policy-server.html

Solution

To resolve the issue, perform the following steps:

Navigate to the following location:
Windows:administrationUI_installation_home/bin/
UNIX:administrationUI_installation_home/bin

Open the following file:
Windows: standalone.conf.bat file
UNIX: standalone.conf file

Add the following lines at the end of the file:

Windows
:

set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStorePassword=changeit"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=changeit"
set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
set "JAVA_OPTS=%JAVA_OPTS% -Dsun.security.ssl.allowUnsafeRenegotiation=true"

UNIX
:

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStorePassword=changeit"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=changeit"
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
JAVA_OPTS="$JAVA_OPTS -Dsun.security.ssl.allowUnsafeRenegotiation=true"

Save the changes.
Restart Administrative UI.

If after steps above, you get a different error " A connection to the LDAP directory 'ad.demo.com:636' could not be established for user 'ad_service_account', please check the connection details and try again."

That is a defect fixed in 12.8sp4, adminui needs an upgrade.

Additional Information

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/known-issues/known-issues-for-policy-server.html

https://knowledge.broadcom.com/external/article/57273/the-root-ca-for-our-company-active-direc.html

https://knowledge.broadcom.com/external/article?articleId=136378

https://ca-broadcomcsm.wolkenservicedesk.com/wolken/esd/knowledgebase_search?articleId=211488

Attachments

Feedback

thumb_up Yes

thumb_down No