I am running issues with RSA AA. When I try to access the site which is proacted with RSA Auth Scheme I get invalid cert. I see the following error message in the RSA AA.log:

http.impl.conn.tsccm.ConnPoolByRoute] - <Notifying no-one, there are no waiting threads>

2022-02-09 13:43:31,054 ERROR [uid=XBBLK41,cn=People,ou=Internal,o=mfc] [zvz-wl02a10164dv00] [QUEuAAABft65kz54TMbRtjFAa6lPSNpvQQuS] [com.rsa.ada

pters.siteminder.authscheme.impl.CustomAuthSchemeImpl] - <failed to store params>

com.rsa.adapters.common.core.safebox.SafeBoxException: Failed to store data: peer not authenticated

        at com.rsa.adapters.common.safebox.DataProtectionSafeBox.store(DataProtectionSafeBox.java:243)

        at com.rsa.adapters.common.safebox.SafeBoxBase.store(SafeBoxBase.java:87)

        at com.rsa.adapters.siteminder.authscheme.impl.CustomAuthSchemeImpl.handleBasicAuthentication(CustomAuthSchemeImpl.java:604)

        at com.rsa.adapters.siteminder.authscheme.impl.CustomAuthSchemeImpl.handleAuthentication(CustomAuthSchemeImpl.java:424)

        at com.rsa.adapters.siteminder.authscheme.impl.CustomAuthSchemeImpl.authenticate(CustomAuthSchemeImpl.java:274)

        at com.rsa.adapters.siteminder.authscheme.CustomAuthScheme.authenticate(CustomAuthScheme.java:87)

        at com.netegrity.policyserver.smapi.SmAuthenticationContext.authenticate(SmAuthenticationContext.java:289)

Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

        at java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)

       at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126)

        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)

        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)

        at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)

        at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)

        at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:645)

        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480)

        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)

        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)

        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)

        at com.rsa.adapters.common.safebox.DataProtectionSafeBox.store(DataProtectionSafeBox.java:208)

        ... 6 more

Release : 12.8.06 and higher

Component : SITEMINDER -POLICY SERVER

Customer had imported the SSL certs needed for the policy server to connect to the RSA server into the JDK installation, but 12.8.6 policy server only uses the JRE installation which is separate from the JDK with AdoptOpenJDK 11.

Copying the resulting trust store file from the JDK installation to the JRE installation and restarting the policy server resolved the issue.

Prior to r12.8.6, the versions of the JDK that the policy server supported included the JRE.  With 12.8.6, AdoptOpenJDK 11 ( Adoptium 11.x) is the supported java, however, the policy server only uses the JRE installation which is entirely separate from the JDK installation.  Due to this, anything that was previously configured under the JDK will need to be configured under the JRE when upgrading to 12.8.6 and higher.