Error: javax.net.ssl.SSLException Certificate not verified in OAuth

book

Article ID: 241761

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

When running Federation Services, once the Web Agent Option Pack receives the response from the Authz Server, it returns error:

    [05/04/2022][14:31:30][9197][2047252224][c52aff38-8cf154b7-21f93726-fb745c73-89ef5aaa-49]
    [MessageDispatcher.java][dispatchMessage][Sending the following message to the remote entity:

    [Message: /oidc/userinfo?access_token=eyJ0eXAiOiJKV1QiLCJub25jZSI6IjZQN1dCaF [...]

    [05/04/2022][14:31:46][9197][2047252224][c52aff38-8cf154b7-21f93726-fb745c73-89ef5aaa-49]
    [MessageDispatcher.java][dispatchMessage]
    [Dispatcher object thrown unknown exception while processing the message. Message: Certificate not verified..]

    [05/04/2022][14:31:46][9197][2047252224][c52aff38-8cf154b7-21f93726-fb745c73-89ef5aaa-49][MessageDispatcher.java]
    [dispatchMessage][Exception:
    javax.net.ssl.SSLException: Certificate not verified.
          at com.rsa.sslj.x.aG.b(Unknown Source)

    Caused by: java.security.cert.CertificateException: 
    the certificate chain is not trusted, Could not validate path.

 

Cause

 

The Federation Services do 2 calls to 2 different remote servers. For the first one to get the access_token, SSL handshake works fine. For the other to get the userinfo, the certificate isn't recognized.

Thus adding the Intermediate and CA Root certificate to the Policy Store will solve this issue.

The browser receives error 500:

fiddler.saz:

Line 49:

GET https://myserver.mydomain.com/affwebservices/public/oauthtokenconsumer/s22a55w22-5as5-rr1s-445s-cd5552662sd55s?code=0.AV8A6Di2CHYGzEW2d1wDixfSivukb6K12HlJky7OlmW1gr5fAAA.AQABAAIAAAD--DLA3VO7QrddgJg7Wevrw6CMyrvqQyO9Elldiglj7xfFAzs9yy-IK5AHkdcj45vC-a7Q7PHStLBTSuELa-0rzltdnn-0RPsqwiTbw2-__YeY7VUC0Wnah8qawVlBCP3VcXENSNkxE-nqD-NvrZivbL-rkM9dismCtSK4omdpZ9-JG14dpSp-klNMwXK5U5QS4IXqwOopzaUWEoyv873qfVQLte6fL6bTTJHluPSeKHcKuDCUDrRgXMk6edhNGF-tuNI2kdQqu6TQFCOJUJSCE5eBCtgdVaSJrcQxZV3OiZ0UHcL_xfu_lF4YR0WuetaKchfyQj1WE9OeqtIzN52O6S8ZMAx3aLR8aVMDlzd2kH90haUk2zRS9NdW4I3zjE_IvdX1IaBT1kzLnI8clRhwqhR_N9MtKtS4PoAFUIutT_fsMFuZ9cDUkA162mEmYJtd9ebDIOC2OfRbDiJcY7fWHba-dP6Wn2U0_CbsvdJDT8JoCQHhM2779IfpW4NaS4OzpMeGRVewbCEbg9tDpKwPgy28tDKKdeBXZP1ukY7XTSi5jYWylXzMNNDYgKEBhNjVuUI87HOGdL9yMFhk_W6XZTCkevvQ_JkO26N7tzrjDBqw80aCt247qmR7LUYlP5oMdhE2jRZxJavgKriHkAbv-CC0ZyTgH07qEG6SQeEDpEOfzbMULNWooQziyKHHlSgn-UhaHGD9bl_fchDLKNS2uAZF9dvSy-1keto_bGodKBglNKVVX9-74wcLCYCr7wYgAA&state=11a55580-f02ec057-3fd5246e-861cf499-b1d2355e-1&session_state=278119b5-a82c-4b3c-bba0-ee86de26409a HTTP/1.1
Referer: https://myotherserver.myseconddomain.com/

  HTTP/1.1 500 Internal Error occured while trying to process the request. Transaction ID: 1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4 failed.
  Date: Wed, 11 May 2022 14:02:45 GMT
  Server: Apache
  X-Powered-By: ServletExec/6.0.0.2_39, Servlet/2.5, JSP/2.1

As the Federation Service fails to handle the request:

affwebserv.log:

  [4003/1679525632][Wed May 11 2022 16:08:03][TokenConsumer.java][ERROR][sm-FedClient-02900]
  "Failure during transaction.  ID:  1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4.. (, , , )

  [4003/1679525632][Wed May 11 2022 16:08:03][OAuthServiceBase][ERROR][sm-FedClient-02900]
  "Failure during transaction.  ID:  1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4.. (, , , )

The Federation Service is able to get the certificates from the Policy Server and connect with the first remote server in https: 

FWSTrace.log:

  [05/11/2022][16:02:45][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4]
  [TokenConsumer.java][doGet][OAuth Authorization and Single Sign-on Service received GET request.]
  
  [05/11/2022][16:02:45][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4]
  [OAuthUtils.java][retrieveAuthzServerFromCache][Obtained Authorization Server information from cache for: 
  myoauthaz|||s22a55w22-5as5-rr1s-445s-cd5552662sd55s.]
  
  [05/11/2022][16:02:45][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4]
  [MessageDispatcher.java][acquireDispatcher][Value being used as key to the dispatcher map: 
  myoauthaz|||s22a55w22-5as5-rr1s-445s-cd5552662sd55sPOST]

The Federation receives 27 certificates from the Policy Server:

  [05/11/2022][16:02:47][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4]
  [FederationTunnelClient.java][getAllCAcerts][Tunnel result code: 1.]
  
  [05/11/2022][16:02:48][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4]
  [FederationTunnelClient.java][getAllCAcerts][Number of CA certificates received:27]
  
  [05/11/2022][16:02:48][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4]
  [FederationTunnelClient.java][getAllCAcerts][Subject DN of last certificate received: CN=login.microsoftonline.us]
  
  [05/11/2022][16:02:48][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4]
  [FederationTunnelClient.java][getAllCAcerts][Number of CA certificates copied to output:27]
  
  [05/11/2022][16:02:48][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4]
  [FWSBase.java][getAllCAcerts][Obtained CA certificates from policy server. Total Certs received: 27]
The Federation Services is able to connect to the remote server as it receives code 200 when asking for an access_token:

  [05/11/2022][16:06:59][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4]
  [OAuth20Utils][sendClientMessage][EXIT]

  [05/11/2022][16:06:59][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4]
  [OAuth20TokenConsumerHandler][sendAccessTokenRequest][Received access token response: 
  [Status Line: HTTP/1.1 200 OK]

  [Headers:{x-ms-request-id=b1795e5e-bd37-467c-9025-b8ac0c3b9700, Cache-Control=no-store, 
  no-cache, P3P=CP="DSP CUR OTPi IND OTRi ONL FIN", Content-Length=2098, 
  Strict-Transport-Security=max-age=31536000; includeSubDomains, Date=Wed, 11 May 2022 14:06:59 GMT, 
  Pragma=no-cache, x-ms-ests-server=2.1.12651.10 - NEULR1 ProdSlices, X-XSS-Protection=0, 
  Expires=-1, Content-Type=application/json; charset=utf-8, Connection=close, X-Content-Type-Options=nosniff}]
  
  [05/11/2022][16:06:59][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4]
  [OAuthUtils.java][parseResponse][Message to parse:  [Status Line: HTTP/1.1 200 OK]

  [Message: {"token_type":"Bearer","scope":"User.Read profile openid email","expires_in":5221,
  "ext_expires_in":5221,"access_token":"eyJ0eXAiOiJKV1QiLCJub25jZSI6InRNSWJHZnZIcmxrTjdKVz
  FMREhOdmlDa09NRWoxZS1VZWhBV1hOZFNyTTAiLCJhbGciOiJSUzI1NiIsIng1dCI6ImpTMVhvMU9XRGpfNTJ2Yn

  [...]
  
  wNn_gfjaBv9230AZfGtewRc1QmpnsC9SdoPdLc3k_pONpBl6ToYvQMBQMLSOY5F3Aa8avxfC9WQxDxmmSELIaKIo
  EIqGPjxpI2dyjuymvHGbe4TaT1wrIIFEHZemYqPhau1CNVrS-J2Ejj65Dh-jDekhPeynzTyySqdTmA"}]]
When the Federation Service tries to reach another server to get the userinfo, then certificate cannot be verified:

  [05/11/2022][16:07:00][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4]
  [MessageDispatcher.java][acquireDispatcher][Value being used as key to the dispatcher map: 
  myoauthaz|||s22a55w22-5as5-rr1s-445s-cd5552662sd55sGET]

  [05/11/2022][16:07:00][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4]
  [MessageDispatcher.java][dispatchMessage][Sending the following message to the remote entity: 

  [Message: /oidc/userinfo?access_token=eyJ0eXAiOiJKV1QiLCJub25jZSI6InRNSWJHZnZIcmxrTjdKVz
  FMREhOdmlDa09NRWoxZS1VZWhBV1hOZFNyTTAiLCJhbGciOiJSUzI1NiIsIng1dCI6ImpTMVhvMU9XRGpfNTJ2Yn

  [...]

  wNn_gfjaBv9230AZfGtewRc1QmpnsC9SdoPdLc3k_pONpBl6ToYvQMBQMLSOY5F3Aa8avxfC9WQxDxmmSELIaKIo
  EIqGPjxpI2dyjuymvHGbe4TaT1wrIIFEHZemYqPhau1CNVrS-J2Ejj65Dh-jDekhPeynzTyySqdTmA].]

  [05/11/2022][16:08:02][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4]
  [MessageDispatcher.java][dispatchMessage]
  [Dispatcher object thrown unknown exception while processing the message. Message: Certificate not verified..]

  [05/11/2022][16:08:02][4003][1679525632][1a3876e9-093736ac-61581d02-946e976e-fb13a8b3-4]
  [MessageDispatcher.java][dispatchMessage]
  [Exception: javax.net.ssl.SSLException: Certificate not verified.

When looking for remote server serving /oidc/userinfo resource, the Federation Service tries to reach

  https://graph.microsoft.com/oidc/userinfo

for which certificate has subject         

  Subject: C = US, ST = WA, L = Redmond, O = Microsoft Corporation, CN = graph.microsoft.com
and issuer: 
  
  Issuer: C = US, O = Microsoft Corporation, CN = Microsoft Azure TLS Issuing CA 06

Its intermediate certificate "Microsoft Azure TLS Issuing CA 06" has CA Root certificate:

  Issuer: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2

None can be found from the Policy Store.

pstore.xml:

            <ReferenceValue ReferenceId="Ref00033">
                <StringValue>s22a55w22-5as5-rr1s-445s-cd5552662sd55s</StringValue>

        <Object Class="CA.FED::OAuthPartnershipBase" Xid="CA.FED::[email protected]" [...] ExportType="Replace">

            <Property Name="CA.FED::OAuthPartnershipBase.DisambiguationID">
                <LinkValue><XREF>Ref00033</XREF></LinkValue>
            <Property Name="CA.FED::OAuthPartnershipBase.BaseURL">
                <LinkValue><XREF>Ref00075</XREF></LinkValue>
            <Property Name="CA.FED::OAuthClientToAuthzServerPship.UserInfoURLLink">
                <LinkValue>
                    <XID>CA.FED::[email protected]</XID>
            <Property Name="CA.FED::OAuthClientToAuthzServerPship.AuthzServerID">
                <StringValue>myoauthaz</StringValue>
        --
 
        <Object Class="CA.FED::Endpoint" Xid="CA.FED::[email protected]" [...] ExportType="Replace">
            <Property Name="CA.FED::Endpoint.Location">
                <LinkValue><XREF>Ref00496</XREF></LinkValue>
            <Property Name="CA.FED::Endpoint.Binding">
                <StringValue>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect</StringValue>

        -- 

            <ReferenceValue ReferenceId="Ref00496">
                <StringValue>https://graph.microsoft.com/oidc/userinfo</StringValue>

        -- 

        <Object Class="CA.FED::OAuthEntityBase" Xid="CA.FED::[email protected]" [...] ExportType="Replace">
            <Property Name="CA.FED::OAuthEntityClientLocal.RedirectURL">
                <LinkValue><XREF>Ref00073</XREF></LinkValue>
            <Property Name="CA.FED::OAuthEntityBase.Name">
                <StringValue>myoauthclient</StringValue>

        --

            <ReferenceValue ReferenceId="Ref00073">
                <StringValue>https://myserver.mydomain.com/affwebservices/public/oauthtokenconsumer/s22a55w22-5as5-rr1s-445s-cd5552662sd55s</StringValue>

        --

        <Object Class="CA.FED::Endpoint" Xid="CA.FED::[email protected]" [...] ExportType="Replace">
            <Property Name="CA.FED::Endpoint.Location">
                <LinkValue><XREF>Ref00221</XREF></LinkValue>

        --

            <ReferenceValue ReferenceId="Ref00221">
                <StringValue>https://login.microsoftonline.com/08b638e8-0676-45cc-b677-5c038b17d28a/oauth2/v2.0/token</StringValue>

 

Environment

 

    Web Agent Option Pack 12.52SP09 on ServletExec 6 on RedHat 6; 
    Policy Server 12.8SP5 on RedHat 7;

 

Resolution

 

- Add Intermediate and CA Root certificate of 

  https://graph.microsoft.com/oidc/userinfo

  to the Policy Store as Certificates authorities to solve this issue;