I am getting an "Authentication Required" message when attempting to establish trust between Enterprise Service Manager and API Gateway.
Article ID: 42911
Updated On:
Products
Issue/Introduction
Symptoms:
A failed trust relationship will continue to show failure indicators in ESM for the cluster that is failing to establish trust. This will include the "no handshake" symbol, a yellow cluster status indicator, and a red cluster node indicator. As the Gateway would not trust ESM to manage it, the cluster would be degraded and the node would be reported as "down" (since the Gateway is not reporting its state to ESM whatsoever).
This behavior can be seen more specifically in the ESM log file, located on the ESM instance at /opt/SecureSpan/EnterpriseManager/var/logs/ssem_0_0.log with the following entry:
com.l7tech.server.ems.monitoring.MonitoringConfigurationSynchronizer: Unable to push down monitoring configuration to <IP address> for node <node name> (52f51f19860c4bfc8f0aad32a8cb120d) of cluster <cluster name> (<cluster ID>): Authentication Required.
The key point of note is the "authentication required" at the end of the message. While that may immediately imply that there is something improper with the mapped Gateway user, that authorization and authentication is done through another process physically on the Gateway (not on ESM). Because ESM is throwing errors regarding authentication being required, you can surmise that something incorrectly configured in ESM is being presented to the Gateway.
Cause:
The trust relationship between Enterprise Service Manager and the SecureSpan Gateway is required because the Gateway operates under the pretenses that no entity can be implicitly trusted save for itself. Because of this, a Gateway to be managed by ESM must be instructed to trust a specific entity. This relationship cannot merely exist in the Manage Certificates dialog, as that applies to services and policies. To address this, the Gateway maintains a special certificate that is isolated from the rest and is only trusted for ESM-related functions.
This is the trusted ESM certificate, visible in the Layer 7 Policy Manager within the "Manage ESM User Mappings" task.
By importing this certificate, the Gateway is configured to allow ESM functions from one single host--the entity that presents that trusted certificate. This trust relationship is established through the "Remote Management configuration menu" of the Gateway configurator (ssgconfig) menu. By specifying the hostname of the ESM instance to be trusted (or the SHA1 thumbprint of the certificate to be presented), the Gateway knows who to allow to manage it.
The "Authentication Required" error thrown by ESM is almost always caused by the Gateway being managed not trusting the certificate being presented by ESM. More specifically, this means that the trusted certificate specified in the "Remote Management configuration menu" is either incorrect or not set properly.
Resolution:
To resolve this issue, log onto the Gateway configuration menu of the Gateway failing to trust ESM and verify that a trusted certificate has been imported via the "Remote Management configuration menu." This can also be verified through the "Managed ESM User Mappings" dialog as well, which contains the trusted ESM certificate.
If one is not set, you must set it--either with the remote system hostname or with the SHA1 thumbprint of the accepted certificate. If it is not set, verify the thumbprint is incorrect and delete the existing certificate. Once the existing certificate is deleted, import the new certificate via HTTPS or via the SHA1 thumbprint.
After changing the trusted certificate, you must restart the Gateway appliance for the change to take effect.
Environment
Component:
Feedback
