Intermediate Certificate causes "peer not authenticated" on Integration Activities in IDM 4.7

Greetings -

With IDM UA 4.7.2 on SLES 12 SP3, I am trying to use a wildcard DigiCert (tomcat.ks), and cannot run any of the Integration Activity PRDs that I created.  All other functionality seems to work OK.  Log snip it at the end of post.  I then created a certificate from the eDir CA and put it in place (No intermediate in chain).  Now it works.  I then created a certificate from our Active Directory CA, which has an intermediate certificate in the chain, and i get the same error as the DigiCert certificate.

I can reproduce this by switching the UA Application SSL certificate.  Anybody else experience this? Is this a bug? 

Here is where I imported the certificates:

UA Server

/opt/netiq/idm/apps/tomcat/conf/tomcat.ks - pfx files (DigiCert, EDir, and AD) (private key and chain) Password for the store and private key are the same.

/opt/netiq/common/jre/lib/security/cacerts - DigiCert Root and Intermediate, eDir Root, AD Root and Intermediate.

UA Driver eDir Server

/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts - DigiCert Root and Intermediate, eDir Root, AD Root and Intermediate.

After certs were imported and then the  UA and eDir were restarted.

Thanks,

*************************************************************************************

2019-07-09 13:09:15,387 DEBUG [com.novell.soa.af.impl.activity.IntegrationActivity] (RBPM pool-1-workflow engine-ND-thread-7) [RBPM] Input:
java.lang.ClassNotFoundException : com.sssw.b2b.ee.jms.rt.GNVJMSXObjectFactory
java.lang.ClassNotFoundException : com.sssw.b2b.ee.jms.rt.GNVJMSServiceXObjectFactory

These seem to be normal errors?

Errors encountered while loading factories:
Enabler status errors:
Enabler: 3270; Error: Current License Version is 60 but version 52 is required
Enabler: 3270logon; Error: Current License Version is 60 but version 52 is required
Enabler: 5250; Error: Current License Version is 60 but version 52 is required
Enabler: 5250logon; Error: Current License Version is 60 but version 52 is required
Enabler: CICSRPC; Error: Current License Version is 60 but version 52 is required
Enabler: EDI; Error: Current License Version is 60 but version 52 is required
Enabler: HTML; Error: Current License Version is 60 but version 52 is required
Enabler: JMS; Error: Cannot get build for: com.sssw.b2b.ee.jms.rt.GNVJMSXObjectFactory
Enabler: JMSService; Error: Cannot get build for: com.sssw.b2b.ee.jms.rt.GNVJMSServiceXObjectFactory
Enabler: PROCESS; Error: Current License Version is 60 but version 52 is required
Enabler: TELNET; Error: Current License Version is 60 but version 52 is required
Enabler: Telnetlogon; Error: Current License Version is 60 but version 52 is required

"
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:450)
at com.sssw.b2b.ee.httpclient.HTTPConnection.sendRequest(HTTPConnection.java:2967)
at com.sssw.b2b.ee.httpclient.HTTPConnection.handleRequest(HTTPConnection.java:2812)
at com.sssw.b2b.ee.httpclient.HTTPConnection.setupRequest(HTTPConnection.java:2626)
at com.sssw.b2b.ee.httpclient.HTTPConnection.Post(HTTPConnection.java:1224)
at com.sssw.b2b.ee.httpclient.HTTPConnection.Post(HTTPConnection.java:1200)
at com.sssw.b2b.rt.util.GNVURLReadWrite.httpPutOrPost(GNVURLReadWrite.java:457)
at com.sssw.b2b.rt.util.GNVURLReadWrite.httpPost(GNVURLReadWrite.java:405)
at com.sssw.b2b.rt.util.GNVURLReadWrite.putOrPostURL(GNVURLReadWrite.java:761)
at com.sssw.b2b.rt.util.GNVURLReadWrite.postURL(GNVURLReadWrite.java:734)
at com.sssw.b2b.rt.action.GNVDocIOAction.evaluateXMLAction(GNVDocIOAction.java:539)
at com.sssw.b2b.rt.action.GNVDocIOAction.apply(GNVDocIOAction.java:448)
at com.sssw.b2b.rt.action.GNVActionList.apply(GNVActionList.java:209)
at com.sssw.b2b.rt.action.GNVTryAction.apply(GNVTryAction.java:324)
at com.sssw.b2b.rt.action.GNVActionList.apply(GNVActionList.java:209)
at com.sssw.b2b.rt.action.GNVActionModel.apply(GNVActionModel.java:177)
at com.sssw.b2b.rt.GNVActionComponent.execute(GNVActionComponent.java:439)
at com.sssw.b2b.rt.service.GNVServiceComponent.execute(GNVServiceComponent.java:186)
at com.novell.soa.af.impl.activity.IntegrationActivity.executeComponent(IntegrationActivity.java:668)
at com.novell.soa.af.impl.activity.IntegrationActivity.execute(IntegrationActivity.java:482)
at com.novell.soa.af.impl.activity.IntegrationActivity.process(IntegrationActivity.java:311)
at com.novell.soa.af.impl.activity.ActivityNode.notifyArrive(ActivityNode.java:231)
at com.novell.soa.af.impl.activity.IntegrationActivity.notifyArrive(IntegrationActivity.java:277)
at com.novell.soa.af.impl.core.ProcessImpl.startActivity(ProcessImpl.java:1740)
at com.novell.soa.af.impl.core.ProcessImpl.forward(ProcessImpl.java:1637)
at com.novell.soa.af.impl.activity.ActivityNode.forward(ActivityNode.java:290)
at com.novell.soa.af.impl.activity.ActivityNode.forward(ActivityNode.java:265)
at com.novell.soa.af.impl.activity.StartActivity.process(StartActivity.java:94)
at com.novell.soa.af.impl.activity.ActivityNode.notifyArrive(ActivityNode.java:231)
at com.novell.soa.af.impl.activity.RunnableActivity.run(RunnableActivity.java:50)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Tue Jul 09 13:09:16 CDT 2019 USER LOG FROM GEN_V1_GLWF_UserApplication_Assign Role_Activity
------ com.sssw.b2b.rt.GNVException: rt001801:Document I/O error: peer not authenticated;
---> nested javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

  • Hi.

    Seems you are missing some JAR-files for JMS, but I am not sure that is related. Should be fixed tho. I have not seen it before.

    As for the certificate issues, does the DigiCert have a matching DNS-name in SAN (Subject Alternate Names)? Do you use the same DNS names in your workflow? Is the certificate valid (check dates)?

    Also you might want to activate more logging for Tomcat (setenv.bat/setenv.sh):

    -Djavax.net.debug=sslverbose:keymanager:trustmanager -Djava.security.debug=access:stack

    This would give more info in catalina.out.

    Best regards

    Marcus

  • Thanks for the response.  I have 3 environments set up with IDM 4.7.2 and all have the same errors:

    java.lang.ClassNotFoundException : com.sssw.b2b.ee.jms.rt.GNVJMSXObjectFactory
    java.lang.ClassNotFoundException : com.sssw.b2b.ee.jms.rt.GNVJMSServiceXObjectFactory

    I have not opened a SR for that, but you are right probably missing a jar, or part of one at least.

    For the certificates:  All 3 are valid.  The DigiCert one, does not have the UA Application name in the SAN.  The E-Dir and AD one, the CN and the SAN has the name UA Application.  I did not really consider that, being all the other functions seem to work, but good point, I can cut another DigiCert cert and try it.

    I can add the additional logging, but it will be Monday as I am taking a long weekend to refresh, starting this afternoon.  I can then add the additional information.

    When you say you have not seen this before, were you talking about the missing jar /part of jar file OR the certificate issue?

    Do you have/seen and environment with a UA Application Certificate that has an intermediate, and running an integration activity.  The integration activity is pretty simply, like createRole or createResource (I know that these are in DirXML-Script now, but is lacking creating them in eDir containers).

    Thanks,

     

  • My recollection is that an intermediate cert ought not be a problem for an integration activity.

    A secondary, related, but not your specific issue is that createRole in 4.72 and 4.73 has a bug. If your SOAP call has <ser:quorum/> node, it will fail.  (Which IS legal, per the WSDL) so you have to remove it. 

    I have yet to try and fix this in an existing PRD, but I think you might have to edit the WSDL to remove it,, then create a new integration Activity, copy in all the info from the current one and move it in, remove the old one.

     

  • Hi.

    I had not seen the issue you have with the missing JAR files. As of certificate issues, this has become quite frequent since the newer versions of JRE has higher security requirements for things like DNS-names and SAN in certificates.

    I would also recommend to go through this thread:

    https://community.microfocus.com/t5/Identity-Manager-User/Unable-to-log-onto-UserApp-after-updating-to-4-7-2/m-p/2334057

    It is not the same issue, but there is some good tips (check /.well-known/openid-configuration)  in there to verify and also options to set in setenv.sh/setenv.bat to workaround similar certificate issues. Might get you somewhere.

    Also, I found an old thread that had a very similar problem you describe, but that was an old bug in 4.5.4, so I don't think it applies to you:

    https://community.microfocus.com/t5/Identity-Manager-User/Integration-Activity-and-Subject-Alternate-Name-certs/m-p/2352532

  • Hello,

    I was able to add the add the options to the setenv.sh this morning.

    -Djavax.net.debug=sslverbose:keymanager:trustmanager
    -Djava.security.debug=access:stack

    With a certificate that has an intermediate cert it still fails.  Below is the error not much more info on the failure, except it does not trust it. See below.....I would add/attach the trace, but not sure how I could cleanse it, so I do not want to attach it.  Can I get clarify what the all the cert stores are for..

    On the user application server - there are 3 certificate stores and one on the eDir Server - can some one tell me what each store is for and what is suppose to be in each one. Below is what my understanding is.

    /opt/netiq/idm/apps/tomcat/conf/tomcat.ks - For the User Application Private Key - Should have an alias of 'tomcat' if more than one in the store.

    /opt/netiq/idm/apps/tomcat/conf/idm.jks - Stores the Identity Vault Certificate - Not sure why the GeoTrust certs are located there?

    /opt/netiq/common/jre/lib/security/cacerts - Contains all of the default trusted root certificates - Added trusted Roots and Intermediate Certificates here.

    Then on the eDir Server there is.

    /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts - Contains all of the default trusted root certificates - Added trusted Roots and Intermediate Certificates here.

    Here is a snip it: Probably does not help much.

     %% Invalidated: [Session-22, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
    RBPM pool-1-workflow engine-ND-thread-7, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
    RBPM pool-1-workflow engine-ND-thread-7, WRITE: TLSv1.2 Alert, length = 2
    RBPM pool-1-workflow engine-ND-thread-7, called closeSocket()
    RBPM pool-1-workflow engine-ND-thread-7, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    RBPM pool-1-workflow engine-ND-thread-7, IOException in getSession(): javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:450)
    at com.sssw.b2b.ee.httpclient.HTTPConnection.sendRequest(HTTPConnection.java:2967)

     

    Thanks - 

     

  • I was amused since I ran into exactly this same error this week.

    I have logs that show it fails with an SSL peer not validated.  So I thought, that means the JRE does not trust the Cert in use. As of JVM 1.8 build 181 and higher, Java in its wisdom decided that it is a security violation and a default failure, if the URL you connect with is not the same as the host name specified in the Certificate.  At one point it required that the cert's CN= be the hostname and then it got loosened a bit to be one of the Subject Alternate Names (SAN).  One side effect is to remember to always add the actual IP address as a SAN.

    So I looked at the keystores in play.

     

    /opt/netiq/idm/apps/tomcat/conf/tomcat.ks

                    Private key of tomcat, eDir Tree pub key, OSP Pub key (Good)

    /opt/netiq/idm/apps/osp/osp.jks

                    Private key of OSP, eDir tree key, and Tomcat pub key (Good)

    /opt/netiq/idm/common/jre/lib/security/cacerts

                    Tomcat, OSP, eDir pub keys (good)

     

    So who is missing the key?  I looked in the  /opt/netiq/idm/apps/tomcat/conf directory and there is a new keystore, idm.jks and it has the eDir pub key.  No Tomcat pub key. Imported that and tried the workflow again and it looks like it worked.

     

    I noticed that ism-configuration.properties references this keystore:

    DirectoryService/realms/jndi/params/KEYSTORE_PATH = /opt/netiq/idm/apps/tomcat/conf/idm.jks

    No password, so I am guessing just for public keys.

     

    Here is the list of attrs in my file that have the same beginning.

     

    DirectoryService/realms/jndi/params/UUID_AUX_CLASS = srvprvEntityAux
    DirectoryService/realms/jndi/params/UUID_ATTRIB = srvprvUUID
    DirectoryService/realms/jndi/params/OBJECT_ATTRIB = objectClass
    DirectoryService/realms/jndi/params/USER_ROOT_CONTAINER = o=acme
    DirectoryService/realms/jndi/params/MANDATORY_SECURE_USER_CONNECTION = true
    DirectoryService/realms/jndi/params/GROUP_OBJECT = groupOfNames
    DirectoryService/realms/jndi/params/USE_PUB_ANON = true
    DirectoryService/realms/jndi/params/PLAIN_PORT = 389
    DirectoryService/realms/jndi/params/GROUP_SEARCH_SCOPE = subtree
    DirectoryService/realms/jndi/params/GROUP_USER_MEMBER_ATTRIB = member
    DirectoryService/realms/jndi/params/ROOT_NAME = o=acme
    DirectoryService/realms/jndi/params/USE_DYNAMIC_GROUPS = false
    DirectoryService/realms/jndi/params/USER_OBJECT = inetOrgPerson
    DirectoryService/realms/jndi/params/SECURE_PORT = 636
    DirectoryService/realms/jndi/params/KEYSTORE_PATH = /opt/netiq/idm/apps/tomcat/conf/idm.jks
    DirectoryService/realms/jndi/params/NAMING_ATTRIBUTE = cn
    DirectoryService/realms/jndi/params/LOGIN_ATTRIBUTE = cn
    DirectoryService/realms/jndi/params/PROVISION_ROOT = cn=UserApplication,cn=DriverSet01,ou=idm,ou=system,o=acme
    DirectoryService/realms/jndi/params/GROUP_ROOT_CONTAINER = o=acme
    DirectoryService/realms/jndi/params/CONTAINER_OBJECT = c=countryou=organizationalUnito=organizationdc=domaint=treeRoot
    DirectoryService/realms/jndi/params/AUTHORITY = edirServer.corp.acme.net
    DirectoryService/realms/jndi/params/USER_SEARCH_SCOPE = subtree
    DirectoryService/realms/jndi/params/DYNAMIC_GROUP_OBJECT = dynamicGroup
    DirectoryService/realms/jndi/params/USER_GROUP_MEMBER_ATTRIB = groupMembership
    DirectoryService/realms/jndi/params/MANDATORY_SECURE_ADMIN_CONNECTION = true
    DirectoryService/realms/jndi/params/DRIVER_SET_ROOT = cn=DriverSet01,ou=idm,ou=system,o=acme

     

    These look copied from ones I specifically set.  Not sure how/when that happened.

     

     

  • Verified Answer

    Hello,

    I was able to get it to finally work by adding the intermediate certificate to the idm.jks store.  Looking in the trace, it loads all of those certificates when tomcat starts. By default the intermediate certificate is in the cacerts, as I have a publicly trusted cert.  I am not a fan of putty every certificate in every store, as for me it just causes confusion down the road.  Here is what I have in each store, in a working system. 

    /opt/netiq/idm/apps/tomcat/conf/tomcat.ks - Tomcat Private Key with an alias of tomcat (I added this)

    /opt/netiq/idm/apps/tomcat/conf/idm.jks - eDir Root cert (added during install) and I added the intermediate certificate here.

    /opt/netiq/common/jre/lib/security/cacerts - Did not change any, as I am using a publicly trusted certificate, if not would need to add the root here.

    /opt/netiq/idm/apps/osp/osp.jks - Private Key for osp (created during install)

    Thanks,