NAM 5.0.4.0.44: Unable to load metadata for Embedded Service Provider: https://netiq-iam.acme-test.com:8443/nidp/idff/metadata, error: No subject alternative DNS netiq-iam.acme-test.com found.

Setup

NAM 5.0.4.0.44

SLES 15.4

single box (demo environment)

Dear community,

I tried to setup the following in a demo/test environment.

IDP (Identity Server) protected by gateway / proxy

  • Seems to work per se, I can login to the IDP portal via published DNS/URL with a user in the configured repository.

App (IDM IDApps) protected by gate way / proxy

  • Fails with the following eirror:
  • <amLogEntry> 2023-10-16T16:08:33Z SEVERE NIDS IDFF: AM#100106001: AMDEVICEID#esp-532EDD8C1C52FEAF: AMAUTHID#803e9573e589a59df8f71f14a4ddd2a4842828c71ef9195ad3374863a402ed02: Unable to load metadata for Embedded Service Provider: https:// netiq-iam.acme-test.com:8443/nidp/idff/metadata, error: No subject alternative DNS name matching netiq-iam.acme-test.com found. </amLogEntry>

 

This is a demonstration setup, so all is configured on one host. I tried to follow...

IDP Proxy

https://www.microfocus.com/documentation/access-manager/5.0/admin/b1in6ehe.html

IDM IDApps Proxy (/idmdash etc.)

https://www.netiq.com/documentation/identity-manager-48/identity_apps_admin/data/reverse-proxy-based-single-sign-on.html

 

For debugging purposes, I followed:

https://www.netiq.com/documentation/access-manager-45/admin/data/bbtszv7.html

  • DNS and networking are “looking fine”, metata files/URLs for IDP and ESP are accessible form the host;
  • Certificates are “looking fine” (although the error indicates that they are not), IDP trust store holds trusted chain of ESP and ESP trust store holds chain of IDP. The used certificate has a SAN DNS entry of the published domain/URL value of netiq-iam.acme-test.com.

The error strongly indicates a SSL/TLS communication issue between ESP and IDP. But I am out of ideas where to get more information what the problem exactly is or how to solve it.

Suggestions/Ideas anyone?

Many thanks and best regards,
Philipp

Parents
  • 0  

    Hi Philipp!

    Something here does not add up and I think we need more information to help you out.

    single box (demo environment)

    What do you mean by that?

    Single box as (1) Access Manager Appliance or (2) Access Manager Admin console and IDP installed as service on single server?

    If this is #1 (Appliance) I wonder how you got port 8443 in metadata URL, since with appliance IDP is automatically hidden behind Access Gateway (NAM-Service proxy service) which most of the time runs on port 443.

    If this is #2 (AC and IDP installed as service on a single server), is Access Gateway you mention in proxy configuration installed on separate server?

    Also this error is quite strange:

    Unable to load metadata for Embedded Service Provider: https:// netiq-iam.acme-test.com:8443/nidp/idff/metadata

    It talks about loading metadata for Embedded Service Provider, which url is not .../nidp/... but .../nesp/...

    /nidp/ path is used for IDP metadata, not ESP metadata.

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

Reply
  • 0  

    Hi Philipp!

    Something here does not add up and I think we need more information to help you out.

    single box (demo environment)

    What do you mean by that?

    Single box as (1) Access Manager Appliance or (2) Access Manager Admin console and IDP installed as service on single server?

    If this is #1 (Appliance) I wonder how you got port 8443 in metadata URL, since with appliance IDP is automatically hidden behind Access Gateway (NAM-Service proxy service) which most of the time runs on port 443.

    If this is #2 (AC and IDP installed as service on a single server), is Access Gateway you mention in proxy configuration installed on separate server?

    Also this error is quite strange:

    Unable to load metadata for Embedded Service Provider: https:// netiq-iam.acme-test.com:8443/nidp/idff/metadata

    It talks about loading metadata for Embedded Service Provider, which url is not .../nidp/... but .../nesp/...

    /nidp/ path is used for IDP metadata, not ESP metadata.

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

Children
  • 0   in reply to   

    I just read additional logging you've provided and error does make sense. ESP is trying to load IDP metadata.

    If this is an appliance, have you maybe set IDP base URL to use port 8443? It should be 443 and then you should make sure Access Gateway's NAM-Service actually listens on port 443.

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button