NetIQ Identity Applicatin 4.7 SP2 -- SSL Wildcard Cert

Hello

Identity Application 4.7 SP2 runnin on RHEL 7.2.

After we added wildcard SSL certificate to tomcat keystore, we are having issues with Oauth server upon user login in identity applicaiton.

When user types in username and password and press login, Browser downloads "oath" file on the users pc, and pressing F5 or refresh again on browser makes user logs in successfully in Identity Application.

while seeing in the trace in the catalina.out, we see following


19-03-15T09:06:40Z, ERROR, oauth.OAuthConsumerServlet, 5071 ERROR_OAUTH_ERROR (unexpected error communicating with oauth server: password.pwm.error.PwmUnrecoverableException: 5071 ERROR_OAUTH_ERROR (error during oauth code resolver http request to oauth server, remote error: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: java.security.cert.CertificateException: server certificate {subject=CN=*.mycompany.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated} does not match a certificate in the configuration trust store.)))


How to resolve this issue?

Regards,
Maqsood.
  • On 3/16/19 4:06 PM, maqsood wrote:
    >
    > Hello
    >
    > Identity Application 4.7 SP2 runnin on RHEL 7.2.
    >
    > After we added wildcard SSL certificate to tomcat keystore, we are
    > having issues with Oauth server upon user login in identity
    > applicaiton.
    >
    > When user types in username and password and press login, Browser
    > downloads "oath" file on the users pc, and pressing F5 or refresh
    > again on browser makes user logs in successfully in Identity
    > Application.
    >
    > while seeing in the trace in the catalina.out, we see following
    >
    >
    > 19-03-15T09:06:40Z, ERROR, oauth.OAuthConsumerServlet, 5071
    > ERROR_OAUTH_ERROR (unexpected error communicating with oauth server:
    > password.pwm.error.PwmUnrecoverableException: 5071 ERROR_OAUTH_ERROR
    > (error during oauth code resolver http request to oauth server, remote
    > error: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request:
    > java.security.cert.CertificateException: server certificate
    > {subject=CN=*.mycompany.com, OU=PositiveSSL Wildcard, OU=Domain Control
    > Validated} does not match a certificate in the configuration trust
    > store.)))
    >
    >
    > How to resolve this issue?
    >
    > Regards,
    > Maqsood.
    >
    >

    Greetings,
    The error outlined is coming from SSPR and not the Identity
    Applications. Did you import the certificate in SSPR via the
    Administration?

    --
    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    Micro Focus
  • On 3/16/19 4:06 PM, maqsood wrote:
    >
    > Hello
    >
    > Identity Application 4.7 SP2 runnin on RHEL 7.2.
    >
    > After we added wildcard SSL certificate to tomcat keystore, we are
    > having issues with Oauth server upon user login in identity
    > applicaiton.
    >
    > When user types in username and password and press login, Browser
    > downloads "oath" file on the users pc, and pressing F5 or refresh
    > again on browser makes user logs in successfully in Identity
    > Application.
    >
    > while seeing in the trace in the catalina.out, we see following
    >
    >
    > 19-03-15T09:06:40Z, ERROR, oauth.OAuthConsumerServlet, 5071
    > ERROR_OAUTH_ERROR (unexpected error communicating with oauth server:
    > password.pwm.error.PwmUnrecoverableException: 5071 ERROR_OAUTH_ERROR
    > (error during oauth code resolver http request to oauth server, remote
    > error: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request:
    > java.security.cert.CertificateException: server certificate
    > {subject=CN=*.mycompany.com, OU=PositiveSSL Wildcard, OU=Domain Control
    > Validated} does not match a certificate in the configuration trust
    > store.)))
    >
    >
    > How to resolve this issue?
    >
    > Regards,
    > Maqsood.
    >
    >

    Greetings,
    The error outlined is coming from SSPR and not the Identity
    Applications. Did you import the certificate in SSPR via the
    Administration?

    --
    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    Micro Focus
  • On 3/16/19 4:06 PM, maqsood wrote:
    >
    > Hello
    >
    > Identity Application 4.7 SP2 runnin on RHEL 7.2.
    >
    > After we added wildcard SSL certificate to tomcat keystore, we are
    > having issues with Oauth server upon user login in identity
    > applicaiton.
    >
    > When user types in username and password and press login, Browser
    > downloads "oath" file on the users pc, and pressing F5 or refresh
    > again on browser makes user logs in successfully in Identity
    > Application.
    >
    > while seeing in the trace in the catalina.out, we see following
    >
    >
    > 19-03-15T09:06:40Z, ERROR, oauth.OAuthConsumerServlet, 5071
    > ERROR_OAUTH_ERROR (unexpected error communicating with oauth server:
    > password.pwm.error.PwmUnrecoverableException: 5071 ERROR_OAUTH_ERROR
    > (error during oauth code resolver http request to oauth server, remote
    > error: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request:
    > java.security.cert.CertificateException: server certificate
    > {subject=CN=*.mycompany.com, OU=PositiveSSL Wildcard, OU=Domain Control
    > Validated} does not match a certificate in the configuration trust
    > store.)))
    >
    >
    > How to resolve this issue?
    >
    > Regards,
    > Maqsood.
    >
    >

    Greetings,
    The error outlined is coming from SSPR and not the Identity
    Applications. Did you import the certificate in SSPR via the
    Administration?

    --
    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    Micro Focus
  • Hello Steven

    We choose not to install SSPR with Identity Application, since we have "NetIQ Self Service Password Reset" a stand alone install webapp already installed on a separate servers. How to fix this issue than?
  • maqsood <maqsood@no-mx.forums.microfocus.com> wrote:
    >

    Hello Steven

    We choose not to install SSPR with Identity Application, since we have
    "NetIQ Self Service Password Reset" a stand alone install webapp already
    installed on a separate servers. How to fix this issue than?


    --
    maqsood
    ------------------------------------------------------------------------
    maqsood's Profile: https://forums.novell.com/member.php?userid=12070
    View this thread: https://forums.novell.com/showthread.php?t=511639

    >


    Hi.

    It still seems to be behind the same OSP as Identity Applications (even if
    installed separate on another server), and thereby you must import the
    certificate to SSPR. If I recall correctly this is in the config page for
    SSO in SSPR gui.

    --
    Best regards
    Marcus
  • Hello

    Just wanted to update here, if other people have same issues;

    The wildcard SSL cert (.pfx) needs to be imported into SSPR keystore, which i have not found where it is, but in SSPR Confguration Editor, Search for "Server Certificate",
    and then menu appear to import Server Certificates, This menus otheriwse is not visible, Possibly bug!


    in Stand alone SSPR, NetIQ has Article:

    https://support.microfocus.com/kb/doc.php?id=7018545

    2. The HTTPS (aka Tomcat or browser) cert. This is the certificate for the browser. It encrypts traffic between the SSPR webserver and the user's browser. With the SSPR 4 appliance install, ssl'ized traffic uses port 443. With the Windows msi or .war file installations secure traffic goes over port 8443 as it did with SSPR 3.x. If using the Appliance or Windows MSI install, this cert is administered in SSPR Configuration Editor -> Settings ->HTTPS Server -> Certificate. (This setting is not available with the .zip / .war install.) Import a PKCS12 / PFX or java key store certificate from a commercially signed certificate. TID 7018852 explains how to create a signed SSL certificate using Open SSL. See "Note 3" in the "additional information" section below for more detail.


    but in Idenity Applicaiton SSPR, this menu is hidden "SSPR Configuration Editor -> Settings ->HTTPS Server -> Certificate." and only appeared if you search for it :-)

    Regards,

    Maqsood.





    Marcus;2496908 wrote:
    maqsood <maqsood@no-mx.forums.microfocus.com> wrote:
    >

    Hello Steven

    We choose not to install SSPR with Identity Application, since we have
    "NetIQ Self Service Password Reset" a stand alone install webapp already
    installed on a separate servers. How to fix this issue than?


    --
    maqsood
    ------------------------------------------------------------------------
    maqsood's Profile: https://forums.novell.com/member.php?userid=12070
    View this thread: https://forums.novell.com/showthread.php?t=511639

    >


    Hi.

    It still seems to be behind the same OSP as Identity Applications (even if
    installed separate on another server), and thereby you must import the
    certificate to SSPR. If I recall correctly this is in the config page for
    SSO in SSPR gui.

    --
    Best regards
    Marcus
  • maqsood wrote:

    > Search for "Server Certificate",
    > and then menu appear to import Server Certificates, This menus
    > otheriwse is not visible, Possibly bug!


    It may be one of the "advanced" options that are hidden by default. You can
    unhide them all somewhere in the menu, IIRC.

    --
    http://www.is4it.de/en/solution/identity-access-management/

    (If you find this post helpful, please click on the star below.)