Knowledge Partner
Knowledge Partner
389 views

3.5 and Could not determine revocation status

Hello,

Have some odd issues with my TLS config.

This is 3.0.1 upgraded to 3.5 on Linux.

I can login to IG 3.5 without any issues.

OSP 6.3.1 is on the same server.
Tomcat is 9.0.12
Java is 1.8.0_181-b02 from Azul Systems, Inc.

But when I go to one of my identity/application sources and click on
Test connection I get this message:

Unable to connect to your server: Failed to parse result set for rest
call to https://ig1.mydomain.com:9443/daas/rest/service from
DaasExecutorService service.

After activating debug logging for SSL I can see that it complains about
"revocation status" in catalina.out

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path validation failed:
java.security.cert.CertPathValidatorException: Could not determine
revocation status

I've added this to setenv.sh but it didn't help:
-Dcom.sun.net.ssl.checkRevocation=false

I'm using Let's Encrypt wildcard certificates.

I see this in the catalina.2019-01-10.log

[SEVERE] 2019-01-10 18:24:11
com.netiq.iac.server.common.rest.RestCallExecutor executePutRestCall -
[IG-SERVER] Failed to connect. URI:
https://ig1.mydomain.com:9443/daas/rest/service, rest service id:
dc_server:Daas. Please verify that rest server is reachable.
[SEVERE] 2019-01-10 18:24:11
com.netiq.iac.server.common.rest.RestCallExecutor executeDeleteRestCall
- [IG-SERVER] Failed to connect. URI:
https://ig1.mydomain.com:9443/daas/rest/service/IDMIdentityTemplate-1485982871782-gromitid-2,
rest service id: dc_server:Daas. Please verify that rest server is
reachable.
[SEVERE] 2019-01-10 18:24:11
com.netiq.iac.persistence.dcs.dce.daas.DaaSService testConnection -
[IG-SERVER] Failed to connect. URI:
https://ig1.mydomain.com:9443/daas/rest/service/IDMIdentityTemplate-1485982871782-gromitid-2,
rest service id: dc_server:Daas. Please verify that rest server is
reachable.
[SEVERE] 2019-01-10 18:24:11 com.netiq.iac.server.rest.ConnectionService
testConnection - [IG-SERVER] Test Connection error: Failed to parse
result set for rest call to
https://ig1.mydomain.com:9443/daas/rest/service from DaasExecutorService
service.

Any tips?

Thanks
-alekz

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
2 Replies
Micro Focus Expert
Micro Focus Expert

Re: 3.5 and Could not determine revocation status

On 1/10/19 12:31 PM, alekz wrote:
> Hello,
>
> Have some odd issues with my TLS config.
>
> This is 3.0.1 upgraded to 3.5 on Linux.
>
> I can login to IG 3.5 without any issues.
>
> OSP 6.3.1 is on the same server.
> Tomcat is 9.0.12
> Java is 1.8.0_181-b02 from  Azul Systems, Inc.
>
> But when I go to one of my identity/application sources and click on
> Test connection I get this message:
>
> Unable to connect to your server: Failed to parse result set for rest
> call to https://ig1.mydomain.com:9443/daas/rest/service from
> DaasExecutorService service.
>
> After activating debug logging for SSL I can see that it complains about
> "revocation status" in catalina.out
>
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path validation failed:
> java.security.cert.CertPathValidatorException: Could not determine
> revocation status
>
> I've added this to setenv.sh but it didn't help:
> -Dcom.sun.net.ssl.checkRevocation=false
>
> I'm using Let's Encrypt wildcard certificates.
>
> I see this in the catalina.2019-01-10.log
>
> [SEVERE] 2019-01-10 18:24:11
> com.netiq.iac.server.common.rest.RestCallExecutor executePutRestCall -
> [IG-SERVER] Failed to connect. URI:
> https://ig1.mydomain.com:9443/daas/rest/service, rest service id:
> dc_server:Daas. Please verify that rest server is reachable.
> [SEVERE] 2019-01-10 18:24:11
> com.netiq.iac.server.common.rest.RestCallExecutor executeDeleteRestCall
> - [IG-SERVER] Failed to connect. URI:
> https://ig1.mydomain.com:9443/daas/rest/service/IDMIdentityTemplate-1485982871782-gromitid-2,
> rest service id: dc_server:Daas. Please verify that rest server is
> reachable.
> [SEVERE] 2019-01-10 18:24:11
> com.netiq.iac.persistence.dcs.dce.daas.DaaSService testConnection -
> [IG-SERVER] Failed to connect. URI:
> https://ig1.mydomain.com:9443/daas/rest/service/IDMIdentityTemplate-1485982871782-gromitid-2,
> rest service id: dc_server:Daas. Please verify that rest server is
> reachable.
> [SEVERE] 2019-01-10 18:24:11 com.netiq.iac.server.rest.ConnectionService
> testConnection - [IG-SERVER] Test Connection error: Failed to parse
> result set for rest call to
> https://ig1.mydomain.com:9443/daas/rest/service from DaasExecutorService
> service.
>
> Any tips?
>
> Thanks
> -alekz
>

Greetings,
Normally, when I have seen this kind or error it is because the
certificate chain is not properly mapped up for the ID Gov runtime to
know about it.

1Did you put the entry in configutil on the Network Topology tab in the
SSL Keystore area for where the path & file name for your trust store
that holds just the cert(s) that Tomcat is using for https and the
password for the file?


If not, then you need to do that and restart Tomcat.

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Knowledge Partner
Knowledge Partner

Re: 3.5 and Could not determine revocation status

On 2019-01-10 18:47, Steven Williams wrote:
> Did you put the entry in configutil on the Network Topology tab in the
> SSL Keystore area for where the path & file name for your trust store
> that holds just the cert(s) that Tomcat is using for https and the
> password for the file?

That did the trick, I had the root and intermediate cert but not the
leaf cert in that file.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.