Knowledge Doc: Untrusted Certificate-chain between ESP and IDP

0 Likes

Summary
After moving AC to a different device and installing IDP and AG behind an L/B with an SSL accelerator, IDP and AG encountered an SSL handshake failure.

Products
Access Manager (NAM)

Environment
Access Manager 4.5.1
Red Hat Enterprise Linux 7.7

Situation
A customer restored the primary AC to another machine with an exact hostname and IP address and installed an IDP and an AG to different devices behind an L/B with an SSL accelerator.
Those used self-signed certificates.

  When ESP tried to connect IDP, IDP could not authenticate with a 100101044 error.  ESP logged a similar message in a 'catalina.out' file.  

<amLogEntry> 2022-12-21T08:29:32Z DEBUG NIDS Application: 
Method: URLUtil.connectToURL
Thread: ajp-nio-127.0.0.1-9009-exec-4
Error connecting to URL Untrusted Certificate-chain </amLogEntry>

<amLogEntry> 2022-12-21T08:29:32Z WARNING NIDS Application: SSL Exception encountered: Untrusted Certificate-chain.  The connection attempt was made using protocol version:TLS </amLogEntry>

A tcpdump captured the following message.  

TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)

Resolution
Reimport the trusted roots for IDP and AG.  


Knowledge Base Article Link


URL Name
KM000016147




Labels:

Support Tips/Knowledge Docs
Comment List
Related
Recommended