search cancel

12.8.06 Access gateway "No trusted certificate found" in Communication with Public OpenID Connect Providers through a Forward Proxy Server

book

Article ID: 241326

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

Access gateway is upgraded to 12.8.06, trying to take advantage of new feature "Communication with Public OpenID Connect Providers through a Forward Proxy Server, via Backchannel Communication", which is documented here:
 
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/partnership-federation/configure-social-sign-on/support-sm-oauth-client-communication-with-public-oidc-providers.html
 
The proxy is configured and already listening on http port xxxx.

However, after followed configuration steps, the transaction fails with error on FWStrace.log:
"[04/12/2022][19:02:17][111617][139634415204096][][SSLHandler][startSession][proxy is configured for back-channel communication]
[04/12/2022][19:02:17][111617][139634415204096][][SSLHandler][startSession][proxy configuration = [Proxy Server Host: proxyhost.domain.com][Proxy Server Port:xxxx]
[04/12/2022][19:02:17][111617][139634415204096][][SSLHandler][startSession][send proxyConnection request]
[04/12/2022][19:02:18][111617][139634415204096][][SSLHandler][startSession][ProxyResponse = HTTP/1.0 200 Connection established]
[04/12/2022][19:02:18][111617][139634415204096][][Srca][invoke][javax.net.ssl.SSLHandshakeException: No trusted certificate found]
[04/12/2022][19:02:18][111617][139634415204096][][Srca][invoke][Ending the session.]
[04/12/2022][19:02:18][111617][139634415204096][][SSLHandler][endSession][start]
[04/12/2022][19:02:18][111617][139634415204096][][SSLHandler][endSession][end]
[04/12/2022][19:02:18][111617][139634415204096][][Srca][shouldRetry][Enter.  Retry Count = 5]
[04/12/2022][19:02:18][111617][139634415204096][][Srca][shouldRetry][Either the maxRetry count has been hit or status code null indicates do not retry.]
[04/12/2022][19:02:18][111617][139634415204096][][Srca][shouldRetry][exit]
[04/12/2022][19:02:18][111617][139634415204096][3b665306-5282c6d3-22827fce-f3d91461-db5f43b1-ba][MessageDispatcher.java][dispatchMessage][Dispatcher object thrown unknown exception while processing the message. Message: javax.net.ssl.SSLHandshakeException: No trusted certificate found.]
[04/12/2022][19:02:18][111617][139634415204096][3b665306-5282c6d3-22827fce-f3d91461-db5f43b1-ba][MessageDispatcher.java][dispatchMessage][Exception:
com.ca.sso.smssl.SMSSLException: javax.net.ssl.SSLHandshakeException: No trusted certificate found
        at com.ca.sso.smssl.socket.SMSSLSocketImpl.startHandshake(SMSSLSocketImpl.java:514)
        at com.netegrity.srca.connection.SSLHandler.startSession(Unknown Source)
        at com.netegrity.srca.Srca.invoke(Unknown Source)
        at com.netegrity.srca.Srca.invoke(Unknown Source)
        at com.netegrity.srca.Srca.invoke(Unknown Source)
        at com.netegrity.srca.Srca.invoke(Unknown Source)
        at com.netegrity.srca.Srca.invoke(Unknown Source)
        at com.netegrity.srca.Srca.invoke(Unknown Source)
        at com.netegrity.affiliateminder.webservices.MessageDispatcher.a(fedfws_obfsc:429)
        at com.ca.federation.webservices.oauth.utils.c.a(Unknown Source)
        at com.ca.federation.webservices.oauth.handlers.b.m(Unknown Source)
        at com.ca.federation.webservices.oauth.handlers.b.b(Unknown Source)
        at com.ca.federation.webservices.oauth.TokenConsumer.g(Unknown Source)
        at com.ca.federation.webservices.oauth.TokenConsumer.d(Unknown Source)
        at com.ca.federation.webservices.oauth.TokenConsumer.doGet(Unknown S"

Customer has added all certificate chains into ca-bundle.cert. 

Cause

This is product feature limitation on Access gateway, of any version prior 12.8.06a (including 12.8.06).

TLSv1.3 is NOT certified with Access gateway yet, only certified on 12.8.06 Policy Server.

This is documented under new features:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/New-Features/New-Features-in-12-8-06.html#concept.dita_ef5022a9-a14f-4a63-bd86-2c01d3c2e7c4_SupportforTLS

When running "~/openssl s_client -proxy proxyhost.domain.com:port -connect accounts.google.com:443  -showcerts", it was negotiated to use TLSv1.3.   

subject=CN = accounts.google.com
    issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    Server Temp Key: X25519, 253 bits
    ---
    SSL handshake has read 4756 bytes and written 450 bytes
    Verification: OK
    ---
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)
    ---

When tried similar openssl command without going through "-proxy proxyhost.domain.com:port",  it ended up with 

SSL-Session:
Protocol  : TLSv1.2
Cipher    : ECDHE-RSA-AES128-GCM-SHA256

Environment

Release : 12.8

Component : SITEMINDER SECURE PROXY SERVER

Resolution

TLSv1.3 is NOT certified with Access gateway yet, only certified on 12.8.06 Policy Server.

Customer needs to consult with proxy server admin, and see if possible to downgrade configuration protocol to TLSv1.2.

Customer can open IDEA from community and reach out to Broadcom product management team and request certification of TLSv1.3 on Access gateway.

Additional Information

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/New-Features/New-Features-in-12-8-06.html#concept.dita_ef5022a9-a14f-4a63-bd86-2c01d3c2e7c4_SupportforTLS