After configuring OneClick for SSL, we are unable to open the OneClick Web page. Looking in the tomcat logs we see the SSL connector initialize and start. There are no errors logged for Tomcat,
yet the page fails to open. The only error seen is on the browser side, which is "ERR_BAD_SSL_CLIENT_AUTH_CERT".
Release: Any version of Spectrum
The error indicates a problem with the client side certificate, which is by default required, and in most cases the SSL Connector is not configured to use a client side certificate.
There is an option in the SSL Connector that is rarely used, and if enabled is the reason the connector is checking the client side for a certificate.
- Open the $SPECROOT/tomcat/conf/server.xml file
- Check the SSL Connector configuration to see if clientAuth="true" is set.
If this option is set, then the connector is checking the client side for a valid certificate. Disabling this option will resolve this issue, and allow the client side to connect and open the Web page.
A example of a typical SSL Connector for OneClick is below:
enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true"
acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
The preceding XML fragment is Windows-specific, with 443 as the default port where the OneClick web server listens for SSL communications. End
users can omit the port from the URL for accessing the OneClick home page: https://<fully_qualified_host_name>/spectrum.
On a UNIX-based installation, the OneClick web server is not run as root, and the default port is 8443 (because it must be greater than 1024). As a result,
end users must specify the port number in the web browser when they enter the URL to access the OneClick home page: https://<fully_qualified_host_name>:8443/spectrum.