Enable Client Auth (2 Way SSL) From CA Access Gateway to backend server
book
Article ID: 75632
calendar_today
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)AXIOMATICS POLICY SERVERCA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-On
Issue/Introduction
Most of the SSL Configuration from CA Access Gateway to a backend server are usually One way SSL which means that Client (CA Access Gateway) Request for SSL Communication from the backend server, Backend server passes back its Server certificate where the Access Gateway validates that it is Trusted and SSL is established.
In Some Cases, Backend servers can request a 2 way SSL where CA Access Gateway must also present its certificate to the backend server for the backend server to validate it and make sure it is trusted before SSL communication can be established.
Environment
Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus Component:
Resolution
**** Step 1 --> Navigate to the following location "installation_path/SSL/bin" and use openssl to Generate a Private Key
**** Step 6 --> Go to "installation_path/proxy-engine/conf" and Edit the server.conf to have your Key name and the Encryption password as follows
ClientKeyFile="client2-privateKey-DER.key" --> The path "installation_path/SSL/clientcert/Keys" is hardcoded, you do not need to include the path in the ClientKeyFile. ClientPassPhrase= --> Follow these steps to generate the Encrypted value for the key Encyption passphrase from Step 5:
a) Open the command prompt. b) Navigate to the following location "installation_path/SSL/bin" location Execute the following command:
Windows EncryptUtil.bat <SPSCertificatePrivateKey_Password>
If you get any Exception such as the below when loading the key, Then you need to check your Private key and make sure it is created per the steps mentioned above
[INFO] - NoodleFileKeyStore.java : Loading 1 root certificates. [DEBUG] - NoodleFileKeyStore.java : Loaded Certificate: client2-Cert_x509.cer [DEBUG] - NoodleFileKeyStore.java : Loaded Certificate: RootCA.cer [INFO] - NoodleFileKeyStore.java : Successfully loaded keyfile. [ERROR] - RSASSLConfig.java : Failed to load keystore [DEBUG] - RSASSLConfig.java : com.rsa.ssl.SSLException: com.rsa.ssl.SSLException: Could not read private key. com.rsa.jsafe.JSAFE_UnimplementedException: Could not decode the data.(Not a valid RSA private SSLC key, missing header) at com.rsa.jsafe.JSAFE_SymmetricCipher.a(Unknown Source) at com.rsa.jsafe.JSAFE_SymmetricCipher.getInstance(Unknown Source)