Highlighted
Super Contributor.. Super Contributor..
Super Contributor..
334 views

CAC with reverse proxy fails. Internal error occurred.

Jump to solution

Hi!

I am struggling with CAC and  reverse proxy in our environment with ucmdb 10.30.

I have managed to get CAC to work (with and without LDAP) on uCMDB, using the JMX reference guide page 130 (ucmdb 10.30), where you set ucmdb-ui (and root) to HTTPSWithClientAuth (port 8444) and so on....

But when you use a reverse proxy you are told to set ucmdb-ui (and root) to port 8080 (HTTP)... and some more jmx-settings.  We are using an apache installation on the same server as the ucmdb application is installed. And of course you need to configure the apache. for instance with this:

ProxyPass /ucmdb-ui http://[UCMDB_SERVER_NAME]:8080/ucmdb-ui
ProxyPassReverse /ucmdb-ui http://[UCMDB_SERVER_NAME]:8080/ucmdb-ui

I think I have followed the guide. When I try to access the application I am prompted to type in my pincode for my card. I can see in security.log that it extract my username from SAN:

Manage to extract from SAN the following identities: [u123456@ad.domain.com] and this user exists in ucmdb (local user, no LDAP this time). But everything ends up with "Internal Error Occured" in Internet Explorer.

Can lwsso be a problem?  I saw some posts in security.lwsso.log yesterday, like:

- AuthNRequestURL is [null]. Can not redirect it. 

- Validation is failed. Reason:Handler [com.hp.sw.bto.ast.security.lwsso.ws.handlers.LWSSOUIReceiverHandler]. LWSSO cookie or query parameter does not exist in the request, therefore skipping the validation.; 

- The token validation failed for security resource

Any ideas? 

 

Wbr / Fredrik

0 Likes
1 Solution

Accepted Solutions
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Re: CAC with reverse proxy fails. Internal error occurred.

Jump to solution

After long discussions we finally got a Hot fix for this, 

 

https://softwaresupport.softwaregrp.com/km/KM03280847

 

PROBLEM DESCRIPTION - CRL Sign is checked for User Certificate instead of intermediate certificate

SOLUTION DESCRIPTION - Do not validate CRL Sign for User Certificate

Defect Number - QCIM1H123474 CAC Support with Reverse Proxy

VERSION - 10.30

View solution in original post

2 Replies
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Re: CAC with reverse proxy fails. Internal error occurred.

Jump to solution

In ui-server.log I can see:

com.hp.ucmdb.uiserver.actions.login.ServerLoginUtils$CertificateValidationException: java.security.cert.CertificateException: KeyUsage cRLSign bit is false

What does this mean, KeyUsage cRLSign bit is false and what can I do about it?

Should uCMDB really do some kind of CRL check when you have a reverse proxy in front (which is doing the CRL check)? 

In Security Settings in JMX you can specify a CRL path (which I did when I got CAC without reverse proxy to work) . I still had the post there, removed it, but no change... I guess when you choose CAC Support to work with a reverse proxy some settings are not in use.... maybe.... 

However, something is not working as it should... Can it be that I doesn´t get the right information from the reverse proxy? I think I have followed the guide and the correct username is extracted from the certificate:

Manage to extract from SAN the following identities: [u123456@ad.domain.com] 

Wbr / Fredrik

 

 

0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Re: CAC with reverse proxy fails. Internal error occurred.

Jump to solution

After long discussions we finally got a Hot fix for this, 

 

https://softwaresupport.softwaregrp.com/km/KM03280847

 

PROBLEM DESCRIPTION - CRL Sign is checked for User Certificate instead of intermediate certificate

SOLUTION DESCRIPTION - Do not validate CRL Sign for User Certificate

Defect Number - QCIM1H123474 CAC Support with Reverse Proxy

VERSION - 10.30

View solution in original post

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.