Access gateway is upgraded to 12.8.06, trying to take advantage of new feature "Communication with Public OpenID Connect Providers through a Forward Proxy Server, via Backchannel Communication", which is documented here:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/partnership-federation/configure-social-sign-on/support-sm-oauth-client-communication-with-public-oidc-providers.html
The proxy is configured and already listening on http port xxxx.
However, after followed configuration steps, the transaction fails with error on FWStrace.log:
"[04/12/2022][19:02:17][111617][139634415204096][][SSLHandler][startSession][proxy is configured for back-channel communication]
[04/12/2022][19:02:17][111617][139634415204096][][SSLHandler][startSession][proxy configuration = [Proxy Server Host: proxyhost.domain.com][Proxy Server Port:xxxx]
[04/12/2022][19:02:17][111617][139634415204096][][SSLHandler][startSession][send proxyConnection request]
[04/12/2022][19:02:18][111617][139634415204096][][SSLHandler][startSession][ProxyResponse = HTTP/1.0 200 Connection established]
[04/12/2022][19:02:18][111617][139634415204096][][Srca][invoke][javax.net.ssl.SSLHandshakeException: No trusted certificate found]
[04/12/2022][19:02:18][111617][139634415204096][][Srca][invoke][Ending the session.]
[04/12/2022][19:02:18][111617][139634415204096][][SSLHandler][endSession][start]
[04/12/2022][19:02:18][111617][139634415204096][][SSLHandler][endSession][end]
[04/12/2022][19:02:18][111617][139634415204096][][Srca][shouldRetry][Enter. Retry Count = 5]
[04/12/2022][19:02:18][111617][139634415204096][][Srca][shouldRetry][Either the maxRetry count has been hit or status code null indicates do not retry.]
[04/12/2022][19:02:18][111617][139634415204096][][Srca][shouldRetry][exit]
[04/12/2022][19:02:18][111617][139634415204096][3b665306-5282c6d3-22827fce-f3d91461-db5f43b1-ba][MessageDispatcher.java][dispatchMessage][Dispatcher object thrown unknown exception while processing the message. Message: javax.net.ssl.SSLHandshakeException: No trusted certificate found.]
[04/12/2022][19:02:18][111617][139634415204096][3b665306-5282c6d3-22827fce-f3d91461-db5f43b1-ba][MessageDispatcher.java][dispatchMessage][Exception:
com.ca.sso.smssl.SMSSLException: javax.net.ssl.SSLHandshakeException: No trusted certificate found
at com.ca.sso.smssl.socket.SMSSLSocketImpl.startHandshake(SMSSLSocketImpl.java:514)
at com.netegrity.srca.connection.SSLHandler.startSession(Unknown Source)
at com.netegrity.srca.Srca.invoke(Unknown Source)
at com.netegrity.srca.Srca.invoke(Unknown Source)
at com.netegrity.srca.Srca.invoke(Unknown Source)
at com.netegrity.srca.Srca.invoke(Unknown Source)
at com.netegrity.srca.Srca.invoke(Unknown Source)
at com.netegrity.srca.Srca.invoke(Unknown Source)
at com.netegrity.affiliateminder.webservices.MessageDispatcher.a(fedfws_obfsc:429)
at com.ca.federation.webservices.oauth.utils.c.a(Unknown Source)
at com.ca.federation.webservices.oauth.handlers.b.m(Unknown Source)
at com.ca.federation.webservices.oauth.handlers.b.b(Unknown Source)
at com.ca.federation.webservices.oauth.TokenConsumer.g(Unknown Source)
at com.ca.federation.webservices.oauth.TokenConsumer.d(Unknown Source)
at com.ca.federation.webservices.oauth.TokenConsumer.doGet(Unknown S"
Customer has added all certificate chains into ca-bundle.cert.
Release : 12.8
Component : SITEMINDER SECURE PROXY SERVER
This is product feature limitation on Access gateway, of any version prior 12.8.06a (including 12.8.06).
TLSv1.3 is NOT certified with Access gateway yet, only certified on 12.8.06 Policy Server.
This is documented under new features:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/New-Features/New-Features-in-12-8-06.html#concept.dita_ef5022a9-a14f-4a63-bd86-2c01d3c2e7c4_SupportforTLS
When running "~/openssl s_client -proxy proxyhost.domain.com:port -connect accounts.google.com:443 -showcerts", it was negotiated to use TLSv1.3.
subject=CN = accounts.google.com
issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4756 bytes and written 450 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
When tried similar openssl command without going through "-proxy proxyhost.domain.com:port", it ended up with
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
TLSv1.3 is NOT certified with Access gateway yet, only certified on 12.8.06 Policy Server.
Customer needs to consult with proxy server admin, and see if possible to downgrade configuration protocol to TLSv1.2.
Customer can open IDEA from community and reach out to Broadcom product management team and request certification of TLSv1.3 on Access gateway.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/New-Features/New-Features-in-12-8-06.html#concept.dita_ef5022a9-a14f-4a63-bd86-2c01d3c2e7c4_SupportforTLS