Error: No trusted certificate in OpenID through a Forward Proxy Server
search cancel

Error: No trusted certificate in OpenID through a Forward Proxy Server

book

Article ID: 241326

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

CA Access Gateway (SPS) is upgraded to 12.8.06, trying to take advantage of new feature

"Communication with Public OpenID Connect Providers through a Forward Proxy Server, via Backchannel Communication" (1)

The proxy is configured and already listening on HTTP port xxxx.   

However, after following the configuration steps, the transaction fails with an error on FWStrace.log:

[04/12/2022][19:02:17][111617][139634415204096][][SSLHandler][startSession][proxy is configured for back-channel communication]
[04/12/2022][19:02:17][111617][139634415204096][][SSLHandler][startSession][proxy configuration = [Proxy Server Host: _proxy._domain._com][Proxy Server Port:xxxx]
[04/12/2022][19:02:17][111617][139634415204096][][SSLHandler][startSession][send proxyConnection request]
[04/12/2022][19:02:18][111617][139634415204096][][SSLHandler][startSession][ProxyResponse = HTTP/1.0 200 Connection established]
[04/12/2022][19:02:18][111617][139634415204096][][Srca][invoke][javax.net.ssl.SSLHandshakeException: No trusted certificate found]
[04/12/2022][19:02:18][111617][139634415204096][][Srca][invoke][Ending the session.]
[04/12/2022][19:02:18][111617][139634415204096][][SSLHandler][endSession][start]
[04/12/2022][19:02:18][111617][139634415204096][][SSLHandler][endSession][end]
[04/12/2022][19:02:18][111617][139634415204096][][Srca][shouldRetry][Enter.  Retry Count = 5]
[04/12/2022][19:02:18][111617][139634415204096][][Srca][shouldRetry][Either the maxRetry count has been hit or status code null indicates do not retry.]
[04/12/2022][19:02:18][111617][139634415204096][][Srca][shouldRetry][exit]
[04/12/2022][19:02:18][111617][139634415204096][3b665306-5282c6d3-22827fce-f3d91461-db5f43b1-ba][MessageDispatcher.java][dispatchMessage][Dispatcher object thrown unknown exception while processing the message. Message: javax.net.ssl.SSLHandshakeException: No trusted certificate found.]
[04/12/2022][19:02:18][111617][139634415204096][3b665306-5282c6d3-22827fce-f3d91461-db5f43b1-ba][MessageDispatcher.java][dispatchMessage][Exception:
com.ca.sso.smssl.SMSSLException: javax.net.ssl.SSLHandshakeException: No trusted certificate found
        at com.ca.sso.smssl.socket.SMSSLSocketImpl.startHandshake(SMSSLSocketImpl.java:514)
        at com.netegrity.srca.connection.SSLHandler.startSession(Unknown Source)
        at com.netegrity.srca.Srca.invoke(Unknown Source)
        at com.netegrity.srca.Srca.invoke(Unknown Source)
        at com.netegrity.srca.Srca.invoke(Unknown Source)
        at com.netegrity.srca.Srca.invoke(Unknown Source)
        at com.netegrity.srca.Srca.invoke(Unknown Source)
        at com.netegrity.srca.Srca.invoke(Unknown Source)
        at com.netegrity.affiliateminder.webservices.MessageDispatcher.a(fedfws_obfsc:429)
        at com.ca.federation.webservices.oauth.utils.c.a(Unknown Source)
        at com.ca.federation.webservices.oauth.handlers.b.m(Unknown Source)
        at com.ca.federation.webservices.oauth.handlers.b.b(Unknown Source)
        at com.ca.federation.webservices.oauth.TokenConsumer.g(Unknown Source)
        at com.ca.federation.webservices.oauth.TokenConsumer.d(Unknown Source)
        at com.ca.federation.webservices.oauth.TokenConsumer.doGet(Unknown S"

All certificate chains are set into ca-bundle.cert. 

 

Environment

 

CA Access Gateway (SPS) 12.8SP6;

 

Cause

 

This is a product feature limitation on CA Access Gateway (SPS), of any version before 12.8.06a (including 12.8.06).

TLSv1.3 is NOT certified with CA Access Gateway (SPS) yet, only certified on 12.8.06 Policy Server (2).

When running "~/openssl s_client -proxy _proxy._domain._com:port -connect _server._domain._com:443  -showcerts", it was negotiated to use TLSv1.3.

subject=CN = _server._domain._com
    issuer=C = US, O = _root, CN = _root
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    Server Temp Key: X25519, 253 bits
    ---
    SSL handshake has read 4756 bytes and written 450 bytes
    Verification: OK
    ---
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)
    ---

When tried similar openssl command without going through "-proxy _proxy._domain._com:port",  it ended up with    

SSL-Session:
Protocol  : TLSv1.2
Cipher    : ECDHE-RSA-AES128-GCM-SHA256

Resolution

 

TLSv1.3 is NOT certified with CA Access Gateway (SPS) yet, only certified on 12.8.06 Policy Server.

Consult with the Proxy Server administrator to see if possible to downgrade the configuration protocol to TLSv1.2.

 

Additional Information

 

(1)

    Support SiteMinder OAuth Client Communication with Public OpenID Connect Providers through a Forward Proxy Server, via Backchannel Communication
    

(2)

    Support for TLS 1.3 Protocol