search cancel

Resolving certificate errors for the SPS and Agent for SharePoint Tomcat Proxy.

book

Article ID: 41767

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Symptoms: 

Receiving a "Certificate for <HostName.mycompany.com/xxx.xxx.xxx.xx> is not trusted or bad certificate" in the Secure Proxy Server/Agent for SharePoint Trace File.

 

Environment:

R12.52 SP1 Single Sign-On (fka SiteMinder) Access Control Gateway (fka Secure Proxy Server)

R12.52 SP1 Single Sign-On Agent for SharePoint 2010/2013

 

Cause:

The "Certificate for <HostName.mycompany.com/xxx.xxx.xxx.xx> is not trusted or bad certificate" logged in the Agent trace file is a generic error message resulting from the failure to establish the SSL connection from the Secure Proxy Server or Agent for SharePoint to the back-end SSL enabled Server.

Following are the most common issues that would result in this error;

1.) The back-end Server Certificate presented is bad.

2.) The RootCA Certificate(s) that signed the back-end Server Certificate is/are not in the ca-bundle.cert file to allow the SPS/Agent for SharePoint to Trust the certificate presented.

3.) There is an SSL Protocol mis-match between the SPS/Agent for SharePoint and the back-end SSL enabled Server.

4.) There is an SSL Cipher mis-match between the SPS/Agent for SharePoint and the back-end SSL enabled Server.

5.) The back-end Server Certificate is SHA2, and the Java Cryptography Extensions (JCE) patch has not been applied to the runtime version of Java.

 

Resolution:

1.) Obtain a valid non-expired certificate and configure the environment appropriately to utilize the new certificate.

2.) Using a text editor copy the base64 PEM encoded certificate for the RootCA certificate and all intermediary certificates in the certificate chain that signed the back-end Server Certificate into the "ca-bundle.cert" file.

------ BEGIN CERTIFICATE ------

thru

------ END CERTIFICATE ------

 

3.) Verify the Protocol (versions) defined in the "<sslparams>" section configured in the Server.conf file match a supported Protocol for the back-end Server.

eg. versions="TLSv1"

For the R12.52 SP1 thru R12.52 SP1 CR-02 Agents, only the "SSLv3" and "TLSv1" Protocols are supported.

The R12.52 SP1 CR-04 Agents support "TLSv1", "TLSv1.1", and "TLSv1.2".

4.) The Agents provide a default list of Ciphers in the "<sslparams>" section configured in the Server.conf file. Modify this list of ciphers to remove or add any required ciphers to match your security needs. Verify that the back-end Server has a matching cipher.

5.) Obtain the Java Cryptography Extensions Unlimited Strength Jurisdiction Policy patch from your Java vendor and apply the patch to the runtime Java.

Environment

Release:
Component: SMSPA