When running Federation Services, once the Web Agent Option Pack receives the response from the Authz Server, it returns an error:
[05/04/2022][14:31:30][9197][2047252224][c52aff38-8cf154b7-21f93726-fb745c73-89ef5aaa-49][MessageDispatcher.java][dispatchMessage][Sending the following message to the remote entity:
[Message: /oidc/userinfo?access_token=************* [...]
[05/04/2022][14:31:46][9197][2047252224][c52aff38-8cf154b7-21f93726-fb745c73-89ef5aaa-49][MessageDispatcher.java][dispatchMessage][Dispatcher object thrown unknown exception while processing the message. Message: Certificate not verified..]
[05/04/2022][14:31:46][9197][2047252224][c52aff38-8cf154b7-21f93726-fb745c73-89ef5aaa-49][MessageDispatcher.java][dispatchMessage][Exception:
javax.net.ssl.SSLException: Certificate not verified.
at com.rsa.sslj.x.aG.b(Unknown Source)
Caused by: java.security.cert.CertificateException: the certificate chain is not trusted, Could not validate path.
Web Agent Option Pack 12.52SP09 on ServletExec 6 on RedHat 6;
Policy Server 12.8SP5 on RedHat 7;
The Federation Services do 2 calls to 2 different remote servers. For the first one to get the access_token, the SSL handshake works fine. For the other to get the userinfo, the certificate isn't recognized.
Thus adding the Intermediate and CA Root certificate to the Policy Store will solve this issue.
The browser receives error 500:
fiddler.saz:
Line 49:
GET https://_host1.example._com/affwebservices/public/oauthtokenconsumer/s22a55w22-5as5-rr1s-445s-cd5552662sd55s?code=0.AV8A6Di2C.....7wYgAA&state=11a.....&session_state=*************** HTTP/1.1
Referer: https://_host2._domain2._com/
HTTP/1.1 500 Internal Error occured while trying to process the request. Transaction ID: 1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4 failed.
Date: Wed, 11 May 2022 14:02:45 GMT
Server: Apache
X-Powered-By: ServletExec/6.0.0.2_39, Servlet/2.5, JSP/2.1
As the Federation Service fails to handle the request:
affwebserv.log:
[4003/1679525632][Wed May 11 2022 16:08:03][TokenConsumer.java][ERROR][sm-FedClient-02900] "Failure during transaction. ID: 1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4.. (, , , )
[4003/1679525632][Wed May 11 2022 16:08:03][OAuthServiceBase][ERROR][sm-FedClient-02900] "Failure during transaction. ID: 1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4.. (, , , )
The Federation Service can get the certificates from the Policy Server and connect with the first remote server in HTTPS:
FWSTrace.log:
[05/11/2022][16:02:45][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4][TokenConsumer.java][doGet][OAuth Authorization and Single Sign-on Service received GET request.]
[05/11/2022][16:02:45][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4][OAuthUtils.java][retrieveAuthzServerFromCache][Obtained Authorization Server information from cache for: myoauthaz|||s22a55w22-5as5-rr1s-445s-cd5552662sd55s.]
[05/11/2022][16:02:45][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4][MessageDispatcher.java][acquireDispatcher][Value being used as key to the dispatcher map: myoauthaz|||s22a55w22-5as5-rr1s-445s-cd5552662sd55sPOST]
The Federation receives 27 certificates from the Policy Server:
[05/11/2022][16:02:47][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4][FederationTunnelClient.java][getAllCAcerts][Tunnel result code: 1.]
[05/11/2022][16:02:48][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4][FederationTunnelClient.java][getAllCAcerts][Number of CA certificates received:27]
[05/11/2022][16:02:48][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4][FederationTunnelClient.java][getAllCAcerts][Subject DN of last certificate received: CN=_host3.example.com]
[05/11/2022][16:02:48][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4][FederationTunnelClient.java][getAllCAcerts][Number of CA certificates copied to output:27]
[05/11/2022][16:02:48][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4][FWSBase.java][getAllCAcerts][Obtained CA certificates from policy server. Total Certs received: 27]
The Federation Services can connect to the remote server as it receives code 200 when asking for an access_token:
[05/11/2022][16:06:59][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4][OAuth20Utils][sendClientMessage][EXIT]
[05/11/2022][16:06:59][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4][OAuth20TokenConsumerHandler][sendAccessTokenRequest][Received access token response: [Status Line: HTTP/1.1 200 OK]
[Headers:{x-ms-request-id=b1795e5e-bd37-467c-9025-b8ac0c3b9700, Cache-Control=no-store, no-cache, P3P=CP="DSP CUR OTPi IND OTRi ONL FIN", Content-Length=2098, Strict-Transport-Security=max-age=31536000; includeSubDomains, Date=Wed, 11 May 2022 14:06:59 GMT, Pragma=no-cache, x-ms-ests-server=2.1.12651.10 - NEULR1 ProdSlices, X-XSS-Protection=0, Expires=-1, Content-Type=application/json; charset=utf-8, Connection=close, X-Content-Type-Options=nosniff}]
[05/11/2022][16:06:59][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4][OAuthUtils.java][parseResponse][Message to parse: [Status Line: HTTP/1.1 200 OK]
[Message: {"token_type":"Bearer","scope":"User.Read profile openid email","expires_in":5221, "ext_expires_in":5221,"access_token":"eyJ0eXAiO.........................
[...]
wNn_gfjaBv9230AZfGte..................A"}]]
When the Federation Service tries to reach another server to get the userinfo, the certificate cannot be verified:
[05/11/2022][16:07:00][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4][MessageDispatcher.java][acquireDispatcher][Value being used as key to the dispatcher map: myoauthaz|||s22a55w22-5as5-rr1s-445s-cd5552662sd55sGET]
[05/11/2022][16:07:00][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4][MessageDispatcher.java][dispatchMessage][Sending the following message to the remote entity:
[Message: /oidc/userinfo?access_token=eyJ0e..................................
[...]
wNn_gfjaBv9230AZfGtew........................Phau1CNVrS-J2Ejj65Dh-jDekhPeynzTyySqdTmA].]
[05/11/2022][16:08:02][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4][MessageDispatcher.java][dispatchMessage][Dispatcher object thrown unknown exception while processing the message. Message: Certificate not verified..]
[05/11/2022][16:08:02][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4][MessageDispatcher.java][dispatchMessage][Exception: javax.net.ssl.SSLException: Certificate not verified.
When looking for remote server serving /oidc/userinfo resource, the Federation Service tries to reach
https://_host4.example._com/oidc/userinfo
for which certificate has subject
Subject: O = _host, CN = _host4.example._com
and issuer:
Issuer: O = _intermediate
The intermediate certificate _intermediate has a CA Root certificate:
Issuer: O = _root
None can be found in the Policy Store.
pstore.xml:
<ReferenceValue ReferenceId="Ref00033">
<StringValue>s22a55w22-5as5-rr1s-445s-cd5552662sd55s</StringValue>
<Object Class="CA.FED::OAuthPartnershipBase" Xid="CA.FED::OAuthPartnershipBase@000ca02*************" [...] ExportType="Replace">
<Property Name="CA.FED::OAuthPartnershipBase.DisambiguationID">
<LinkValue><XREF>Ref00033</XREF></LinkValue>
<Property Name="CA.FED::OAuthPartnershipBase.BaseURL">
<LinkValue><XREF>Ref00075</XREF></LinkValue>
<Property Name="CA.FED::OAuthClientToAuthzServerPship.UserInfoURLLink">
<LinkValue>
<XID>CA.FED::Endpoint@000416c7-40d4-118d-bd4b-46f60acb0000</XID>
<Property Name="CA.FED::OAuthClientToAuthzServerPship.AuthzServerID">
<StringValue>myoauthaz</StringValue>
--
<Object Class="CA.FED::Endpoint" Xid="CA.FED::Endpoint@000416c7-40d******************" [...] ExportType="Replace">
<Property Name="CA.FED::Endpoint.Location">
<LinkValue><XREF>Ref00496</XREF></LinkValue>
<Property Name="CA.FED::Endpoint.Binding">
<StringValue>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect</StringValue>
--
<ReferenceValue ReferenceId="Ref00496">
<StringValue>https://_host4.example._com/oidc/userinfo</StringValue>
--
<Object Class="CA.FED::OAuthEntityBase" Xid="CA.FED::OAuthEntityBase@00006***************0" [...] ExportType="Replace">
<Property Name="CA.FED::OAuthEntityClientLocal.RedirectURL">
<LinkValue><XREF>Ref00073</XREF></LinkValue>
<Property Name="CA.FED::OAuthEntityBase.Name">
<StringValue>myoauthclient</StringValue>
--
<ReferenceValue ReferenceId="Ref00073">
<StringValue>https://_host1.example._com/affwebservices/public/oauthtokenconsumer/s22a55w22-5as5-rr1s-445s-cd5552662sd55s</StringValue>
--
<Object Class="CA.FED::Endpoint" Xid="CA.FED::Endpoint@000bde............." [...] ExportType="Replace">
<Property Name="CA.FED::Endpoint.Location">
<LinkValue><XREF>Ref00221</XREF></LinkValue>
--
<ReferenceValue ReferenceId="Ref00221">
<StringValue>https://_host5.example._com/08b638e8-0676-45cc-b677-5c038b17d28a/oauth2/v2.0/token</StringValue>
Add Intermediate and CA Root certificates of
https://_host4.example._com/oidc/userinfo
to the Policy Store as Certificates authorities to solve this issue.