search cancel

Enable Client Auth (2 Way SSL) From CA Access Gateway to backend server


Article ID: 75632


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


Most of the SSL Configuration from CA Access Gateway to a backend server are usually One way SSL which means that Client (CA Access Gateway) Request for SSL Communication from the
backend server,  Backend server passes back its Server certificate where the Access Gateway validates that it is Trusted and SSL is established.

In Some Cases, Backend servers can request a 2 way SSL where CA Access Gateway must also present its certificate to the backend server for the backend server to validate it and make sure it is trusted before SSL communication can be established.  


Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus


**** Step 1 --> Navigate to the following location  "installation_path/SSL/bin"  and use openssl to Generate a Private Key 

./openssl genrsa -out ../clientcert/keys/client2-privateKey.key [numbits]

The key should be added now to the "installation_path/SSL/clientcert/Keys" folder

**** Step 2 --> Create the Cert Request

./openssl req -out client2-CSR.csr -new -newkey rsa:2048 -nodes -keyout client2-privateKey.key -config ../bin/openssl.cnf 

**** Step 3 --> Sign The Request using your Root Authority 

**** Step 4 --> Convert the generated cert along with the Root CA cert to DER encoding 

./openssl x509 –in client2-Cert_x509.pem -out client2-Cert_x509.cer -outform der 

Move both converted der certs (server cert and Root CA cert) to the  "installation_path/SSL/clientcert/certs" folder

**** Step 5 -> Convert private key to encrypted pkcs#8 DER encoding 

./openssl pkcs8 -in ../clientcert/keys/client2-privateKey.key -topk8 -v1 PBE-SHA1-3DES -out ../clientcert/keys/client2-privateKey-DER.key -outform DER 

**** Step 6 --> Go to "installation_path/proxy-engine/conf" and Edit the server.conf  to have your Key name and the Encryption password as follows

ClientKeyFile="client2-privateKey-DER.key"   --> The path "installation_path/SSL/clientcert/Keys" is hardcoded, you do not need to include the path in the ClientKeyFile. 
ClientPassPhrase=       -->  Follow these steps to generate the Encrypted value for the key Encyption passphrase from Step 5:

a) Open the command prompt.
b) Navigate to the following location  "installation_path/SSL/bin" location Execute the following command:

EncryptUtil.bat <SPSCertificatePrivateKey_Password>

UNIX <SPSCertificatePrivateKey_Password>

c) copy the generated Encrypted string to the "ClientPassPhrase"
**** Step 7  -->  generate a Certificate Signing Request using the below 

./openssl req -config ./openssl.cnf -new -key ../keys/server.key -out ../keys/server.csr

**** Step 8 --> Restart SPS, and you should see the following which now confirms that CA Access Gateway is enabled for client Auth 2 way SSL

[INFO] - : Loading 1 root certificates. 
[DEBUG] - : Loaded Certificate: client2-Cert_x509.cer 
[DEBUG] - : Loaded Certificate: RootCA.cer 
[INFO] - : Successfully loaded keyfile. 
[ERROR] - :Successfully loaded keystore. 

If you get any Exception such as the below when loading the key, Then you need to check your Private key and make sure it is created per the steps mentioned above 

[INFO] - : Loading 1 root certificates. 
[DEBUG] - : Loaded Certificate: client2-Cert_x509.cer 
[DEBUG] - : Loaded Certificate: RootCA.cer 
[INFO] - : Successfully loaded keyfile. 
[ERROR] - : Failed to load keystore 
[DEBUG] - : com.rsa.ssl.SSLException: com.rsa.ssl.SSLException: Could not read private key. com.rsa.jsafe.JSAFE_UnimplementedException: Could not decode the data.(Not a valid RSA private SSLC key, missing header) 
at com.rsa.jsafe.JSAFE_SymmetricCipher.a(Unknown Source) 
at com.rsa.jsafe.JSAFE_SymmetricCipher.getInstance(Unknown Source)