The Spectrum OneClick Web Page fails to open when SSL is enabled.
search cancel

The Spectrum OneClick Web Page fails to open when SSL is enabled.

book

Article ID: 44526

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction


After configuring OneClick for SSL, we are unable to open the OneClick Web page. Looking in the tomcat logs we see the SSL connector initialize and start. There are no errors logged for Tomcat,
   yet the page fails to open. The only error seen is on the browser side, which is "ERR_BAD_SSL_CLIENT_AUTH_CERT".


Environment

Release: Any version of Spectrum
Component:

Cause


The error indicates a problem with the client side certificate, which is by default required, and in most cases the SSL Connector is not configured to use a client side certificate. 

Resolution

There is an option in the SSL Connector that is rarely used, and if enabled is the reason the connector is checking the client side for a certificate.

- Open the $SPECROOT/tomcat/conf/server.xml file
- Check the SSL Connector configuration to see if clientAuth="true" is set.

   If this option is set, then the connector is checking the client side for a valid certificate. Disabling this option will resolve this issue, and allow the client side to connect and open the Web page. 

 

A example of a typical SSL Connector for OneClick is below:

<Connector
           port="443"
           enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true"
           acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
           clientAuth="false" sslProtocol="TLS"
           ciphers="SSL_RSA_WITH_RC4_128_MD5,
                          SSL_RSA_WITH_RC4_128_SHA,
                          TLS_RSA_WITH_AES_128_CBC_SHA,
                          TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
                          TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
                          SSL_RSA_WITH_3DES_EDE_CBC_SHA,
                          SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
                          SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

           keystoreFile="<SPECROOT>/custom/keystore/cacerts"
           keystorePass="changeit"
</Connector>


The preceding XML fragment is Windows-specific, with 443 as the default port where the OneClick web server listens for SSL communications. End
   users can omit the port from the URL for accessing the OneClick home page: https://<fully_qualified_host_name>/spectrum.

On a UNIX-based installation, the OneClick web server is not run as root, and the default port is 8443 (because it must be greater than 1024). As a result,
   end users must specify the port number in the web browser when they enter the URL to access the OneClick home page: https://<fully_qualified_host_name>:8443/spectrum.

Optional Configuration Changes: 

  • To prevent a client form being able to negotiate tomcat back down to SSLv3 (known as the Poodle Vulnerability) you can add sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" statement to the Connector configuration.
  • The Diffie-Hellman Ciphers TLS_DHE_RSA_WITH_AES_128_CBC_SHA, and TLS_DHE_DSS_WITH_AES_128_CBC_SHA are known to cause the secure connection to fail in browsers with enhanced security, such as Firefox and Chrome. To resolve this, remove these ciphers from the Connector configuration.  

Additional Information

  • For more information regarding setting OneClick for SSL please reference the "Configure OneClick for Secure Sockets Layer" section of the documentation.
  • For Information setting up OneClick for SSL with CAC authentication please reference the "How to Configure CA Spectrum for SSL and CAC Authentication" section of the documentation.
Powered by Wolken Software