Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
RandyR Valued Contributor.
Valued Contributor.
564 views

Intermediate Certificate causes "peer not authenticated" on Integration Activities in IDM 4.7

Jump to solution

Greetings -

With IDM UA 4.7.2 on SLES 12 SP3, I am trying to use a wildcard DigiCert (tomcat.ks), and cannot run any of the Integration Activity PRDs that I created.  All other functionality seems to work OK.  Log snip it at the end of post.  I then created a certificate from the eDir CA and put it in place (No intermediate in chain).  Now it works.  I then created a certificate from our Active Directory CA, which has an intermediate certificate in the chain, and i get the same error as the DigiCert certificate.

I can reproduce this by switching the UA Application SSL certificate.  Anybody else experience this? Is this a bug? 

Here is where I imported the certificates:

UA Server

/opt/netiq/idm/apps/tomcat/conf/tomcat.ks - pfx files (DigiCert, EDir, and AD) (private key and chain) Password for the store and private key are the same.

/opt/netiq/common/jre/lib/security/cacerts - DigiCert Root and Intermediate, eDir Root, AD Root and Intermediate.

UA Driver eDir Server

/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts - DigiCert Root and Intermediate, eDir Root, AD Root and Intermediate.

After certs were imported and then the  UA and eDir were restarted.

Thanks,

*************************************************************************************

2019-07-09 13:09:15,387 DEBUG [com.novell.soa.af.impl.activity.IntegrationActivity] (RBPM pool-1-workflow engine-ND-thread-7) [RBPM] Input:
java.lang.ClassNotFoundException : com.sssw.b2b.ee.jms.rt.GNVJMSXObjectFactory
java.lang.ClassNotFoundException : com.sssw.b2b.ee.jms.rt.GNVJMSServiceXObjectFactory

These seem to be normal errors?

Errors encountered while loading factories:
Enabler status errors:
Enabler: 3270; Error: Current License Version is 60 but version 52 is required
Enabler: 3270logon; Error: Current License Version is 60 but version 52 is required
Enabler: 5250; Error: Current License Version is 60 but version 52 is required
Enabler: 5250logon; Error: Current License Version is 60 but version 52 is required
Enabler: CICSRPC; Error: Current License Version is 60 but version 52 is required
Enabler: EDI; Error: Current License Version is 60 but version 52 is required
Enabler: HTML; Error: Current License Version is 60 but version 52 is required
Enabler: JMS; Error: Cannot get build for: com.sssw.b2b.ee.jms.rt.GNVJMSXObjectFactory
Enabler: JMSService; Error: Cannot get build for: com.sssw.b2b.ee.jms.rt.GNVJMSServiceXObjectFactory
Enabler: PROCESS; Error: Current License Version is 60 but version 52 is required
Enabler: TELNET; Error: Current License Version is 60 but version 52 is required
Enabler: Telnetlogon; Error: Current License Version is 60 but version 52 is required

"
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:450)
at com.sssw.b2b.ee.httpclient.HTTPConnection.sendRequest(HTTPConnection.java:2967)
at com.sssw.b2b.ee.httpclient.HTTPConnection.handleRequest(HTTPConnection.java:2812)
at com.sssw.b2b.ee.httpclient.HTTPConnection.setupRequest(HTTPConnection.java:2626)
at com.sssw.b2b.ee.httpclient.HTTPConnection.Post(HTTPConnection.java:1224)
at com.sssw.b2b.ee.httpclient.HTTPConnection.Post(HTTPConnection.java:1200)
at com.sssw.b2b.rt.util.GNVURLReadWrite.httpPutOrPost(GNVURLReadWrite.java:457)
at com.sssw.b2b.rt.util.GNVURLReadWrite.httpPost(GNVURLReadWrite.java:405)
at com.sssw.b2b.rt.util.GNVURLReadWrite.putOrPostURL(GNVURLReadWrite.java:761)
at com.sssw.b2b.rt.util.GNVURLReadWrite.postURL(GNVURLReadWrite.java:734)
at com.sssw.b2b.rt.action.GNVDocIOAction.evaluateXMLAction(GNVDocIOAction.java:539)
at com.sssw.b2b.rt.action.GNVDocIOAction.apply(GNVDocIOAction.java:448)
at com.sssw.b2b.rt.action.GNVActionList.apply(GNVActionList.java:209)
at com.sssw.b2b.rt.action.GNVTryAction.apply(GNVTryAction.java:324)
at com.sssw.b2b.rt.action.GNVActionList.apply(GNVActionList.java:209)
at com.sssw.b2b.rt.action.GNVActionModel.apply(GNVActionModel.java:177)
at com.sssw.b2b.rt.GNVActionComponent.execute(GNVActionComponent.java:439)
at com.sssw.b2b.rt.service.GNVServiceComponent.execute(GNVServiceComponent.java:186)
at com.novell.soa.af.impl.activity.IntegrationActivity.executeComponent(IntegrationActivity.java:668)
at com.novell.soa.af.impl.activity.IntegrationActivity.execute(IntegrationActivity.java:482)
at com.novell.soa.af.impl.activity.IntegrationActivity.process(IntegrationActivity.java:311)
at com.novell.soa.af.impl.activity.ActivityNode.notifyArrive(ActivityNode.java:231)
at com.novell.soa.af.impl.activity.IntegrationActivity.notifyArrive(IntegrationActivity.java:277)
at com.novell.soa.af.impl.core.ProcessImpl.startActivity(ProcessImpl.java:1740)
at com.novell.soa.af.impl.core.ProcessImpl.forward(ProcessImpl.java:1637)
at com.novell.soa.af.impl.activity.ActivityNode.forward(ActivityNode.java:290)
at com.novell.soa.af.impl.activity.ActivityNode.forward(ActivityNode.java:265)
at com.novell.soa.af.impl.activity.StartActivity.process(StartActivity.java:94)
at com.novell.soa.af.impl.activity.ActivityNode.notifyArrive(ActivityNode.java:231)
at com.novell.soa.af.impl.activity.RunnableActivity.run(RunnableActivity.java:50)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
++++++ Tue Jul 09 13:09:16 CDT 2019 USER LOG FROM GEN_V1_GLWF_UserApplication_Assign Role_Activity
------ com.sssw.b2b.rt.GNVException: rt001801:Document I/O error: peer not authenticated;
---> nested javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Labels (1)
0 Likes
1 Solution

Accepted Solutions
RandyR Valued Contributor.
Valued Contributor.

Re: Intermediate Certificate causes "peer not authenticated" on Integration Activities in

Jump to solution

Hello,

I was able to get it to finally work by adding the intermediate certificate to the idm.jks store.  Looking in the trace, it loads all of those certificates when tomcat starts. By default the intermediate certificate is in the cacerts, as I have a publicly trusted cert.  I am not a fan of putty every certificate in every store, as for me it just causes confusion down the road.  Here is what I have in each store, in a working system. 

/opt/netiq/idm/apps/tomcat/conf/tomcat.ks - Tomcat Private Key with an alias of tomcat (I added this)

/opt/netiq/idm/apps/tomcat/conf/idm.jks - eDir Root cert (added during install) and I added the intermediate certificate here.

/opt/netiq/common/jre/lib/security/cacerts - Did not change any, as I am using a publicly trusted certificate, if not would need to add the root here.

/opt/netiq/idm/apps/osp/osp.jks - Private Key for osp (created during install)

Thanks,

 

 

View solution in original post

7 Replies
Marcus Tornberg Honored Contributor.
Honored Contributor.

Re: Intermediate Certificate causes "peer not authenticated" on Integration Activities in

Jump to solution

Hi.

Seems you are missing some JAR-files for JMS, but I am not sure that is related. Should be fixed tho. I have not seen it before.

As for the certificate issues, does the DigiCert have a matching DNS-name in SAN (Subject Alternate Names)? Do you use the same DNS names in your workflow? Is the certificate valid (check dates)?

Also you might want to activate more logging for Tomcat (setenv.bat/setenv.sh):

-Djavax.net.debug=sslverbose:keymanager:trustmanager
-Djava.security.debug=access:stack

This would give more info in catalina.out.

Best regards

Marcus

RandyR Valued Contributor.
Valued Contributor.

Re: Intermediate Certificate causes "peer not authenticated" on Integration Activities in

Jump to solution

Thanks for the response.  I have 3 environments set up with IDM 4.7.2 and all have the same errors:

java.lang.ClassNotFoundException : com.sssw.b2b.ee.jms.rt.GNVJMSXObjectFactory
java.lang.ClassNotFoundException : com.sssw.b2b.ee.jms.rt.GNVJMSServiceXObjectFactory

I have not opened a SR for that, but you are right probably missing a jar, or part of one at least.

For the certificates:  All 3 are valid.  The DigiCert one, does not have the UA Application name in the SAN.  The E-Dir and AD one, the CN and the SAN has the name UA Application.  I did not really consider that, being all the other functions seem to work, but good point, I can cut another DigiCert cert and try it.

I can add the additional logging, but it will be Monday as I am taking a long weekend to refresh, starting this afternoon.  I can then add the additional information.

When you say you have not seen this before, were you talking about the missing jar /part of jar file OR the certificate issue?

Do you have/seen and environment with a UA Application Certificate that has an intermediate, and running an integration activity.  The integration activity is pretty simply, like createRole or createResource (I know that these are in DirXML-Script now, but is lacking creating them in eDir containers).

Thanks,

 

0 Likes
Knowledge Partner
Knowledge Partner

Re: Intermediate Certificate causes "peer not authenticated" on Integration Activities in

Jump to solution

My recollection is that an intermediate cert ought not be a problem for an integration activity.

A secondary, related, but not your specific issue is that createRole in 4.72 and 4.73 has a bug. If your SOAP call has <ser:quorum/> node, it will fail.  (Which IS legal, per the WSDL) so you have to remove it. 

I have yet to try and fix this in an existing PRD, but I think you might have to edit the WSDL to remove it,, then create a new integration Activity, copy in all the info from the current one and move it in, remove the old one.

 

0 Likes
Marcus Tornberg Honored Contributor.
Honored Contributor.

Re: Intermediate Certificate causes "peer not authenticated" on Integration Activities in

Jump to solution

Hi.

I had not seen the issue you have with the missing JAR files. As of certificate issues, this has become quite frequent since the newer versions of JRE has higher security requirements for things like DNS-names and SAN in certificates.

I would also recommend to go through this thread:

https://community.microfocus.com/t5/Identity-Manager-User/Unable-to-log-onto-UserApp-after-updating-to-4-7-2/m-p/2334057

It is not the same issue, but there is some good tips (check /.well-known/openid-configuration)  in there to verify and also options to set in setenv.sh/setenv.bat to workaround similar certificate issues. Might get you somewhere.

Also, I found an old thread that had a very similar problem you describe, but that was an old bug in 4.5.4, so I don't think it applies to you:

https://community.microfocus.com/t5/Identity-Manager-User/Integration-Activity-and-Subject-Alternate-Name-certs/m-p/2352532

0 Likes
Highlighted
RandyR Valued Contributor.
Valued Contributor.

Re: Intermediate Certificate causes "peer not authenticated" on Integration Activities in

Jump to solution

Hello,

I was able to add the add the options to the setenv.sh this morning.

-Djavax.net.debug=sslverbose:keymanager:trustmanager
-Djava.security.debug=access:stack

With a certificate that has an intermediate cert it still fails.  Below is the error not much more info on the failure, except it does not trust it. See below.....I would add/attach the trace, but not sure how I could cleanse it, so I do not want to attach it.  Can I get clarify what the all the cert stores are for..

On the user application server - there are 3 certificate stores and one on the eDir Server - can some one tell me what each store is for and what is suppose to be in each one. Below is what my understanding is.

/opt/netiq/idm/apps/tomcat/conf/tomcat.ks - For the User Application Private Key - Should have an alias of 'tomcat' if more than one in the store.

/opt/netiq/idm/apps/tomcat/conf/idm.jks - Stores the Identity Vault Certificate - Not sure why the GeoTrust certs are located there?

/opt/netiq/common/jre/lib/security/cacerts - Contains all of the default trusted root certificates - Added trusted Roots and Intermediate Certificates here.

Then on the eDir Server there is.

/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts - Contains all of the default trusted root certificates - Added trusted Roots and Intermediate Certificates here.

Here is a snip it: Probably does not help much.

 %% Invalidated: [Session-22, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
RBPM pool-1-workflow engine-ND-thread-7, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
RBPM pool-1-workflow engine-ND-thread-7, WRITE: TLSv1.2 Alert, length = 2
RBPM pool-1-workflow engine-ND-thread-7, called closeSocket()
RBPM pool-1-workflow engine-ND-thread-7, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
RBPM pool-1-workflow engine-ND-thread-7, IOException in getSession(): javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:450)
at com.sssw.b2b.ee.httpclient.HTTPConnection.sendRequest(HTTPConnection.java:2967)

 

Thanks - 

 

Knowledge Partner
Knowledge Partner

Re: Intermediate Certificate causes "peer not authenticated" on Integration Activities in

Jump to solution

I was amused since I ran into exactly this same error this week.

I have logs that show it fails with an SSL peer not validated.  So I thought, that means the JRE does not trust the Cert in use. As of JVM 1.8 build 181 and higher, Java in its wisdom decided that it is a security violation and a default failure, if the URL you connect with is not the same as the host name specified in the Certificate.  At one point it required that the cert's CN= be the hostname and then it got loosened a bit to be one of the Subject Alternate Names (SAN).  One side effect is to remember to always add the actual IP address as a SAN.

So I looked at the keystores in play.

 

/opt/netiq/idm/apps/tomcat/conf/tomcat.ks

                Private key of tomcat, eDir Tree pub key, OSP Pub key (Good)

/opt/netiq/idm/apps/osp/osp.jks

                Private key of OSP, eDir tree key, and Tomcat pub key (Good)

/opt/netiq/idm/common/jre/lib/security/cacerts

                Tomcat, OSP, eDir pub keys (good)

 

So who is missing the key?  I looked in the  /opt/netiq/idm/apps/tomcat/conf directory and there is a new keystore, idm.jks and it has the eDir pub key.  No Tomcat pub key. Imported that and tried the workflow again and it looks like it worked.

 

I noticed that ism-configuration.properties references this keystore:

DirectoryService/realms/jndi/params/KEYSTORE_PATH = /opt/netiq/idm/apps/tomcat/conf/idm.jks

No password, so I am guessing just for public keys.

 

Here is the list of attrs in my file that have the same beginning.

 

DirectoryService/realms/jndi/params/UUID_AUX_CLASS = srvprvEntityAux
DirectoryService/realms/jndi/params/UUID_ATTRIB = srvprvUUID
DirectoryService/realms/jndi/params/OBJECT_ATTRIB = objectClass
DirectoryService/realms/jndi/params/USER_ROOT_CONTAINER = o=acme
DirectoryService/realms/jndi/params/MANDATORY_SECURE_USER_CONNECTION = true
DirectoryService/realms/jndi/params/GROUP_OBJECT = groupOfNames
DirectoryService/realms/jndi/params/USE_PUB_ANON = true
DirectoryService/realms/jndi/params/PLAIN_PORT = 389
DirectoryService/realms/jndi/params/GROUP_SEARCH_SCOPE = subtree
DirectoryService/realms/jndi/params/GROUP_USER_MEMBER_ATTRIB = member
DirectoryService/realms/jndi/params/ROOT_NAME = o=acme
DirectoryService/realms/jndi/params/USE_DYNAMIC_GROUPS = false
DirectoryService/realms/jndi/params/USER_OBJECT = inetOrgPerson
DirectoryService/realms/jndi/params/SECURE_PORT = 636
DirectoryService/realms/jndi/params/KEYSTORE_PATH = /opt/netiq/idm/apps/tomcat/conf/idm.jks
DirectoryService/realms/jndi/params/NAMING_ATTRIBUTE = cn
DirectoryService/realms/jndi/params/LOGIN_ATTRIBUTE = cn
DirectoryService/realms/jndi/params/PROVISION_ROOT = cn=UserApplication,cn=DriverSet01,ou=idm,ou=system,o=acme
DirectoryService/realms/jndi/params/GROUP_ROOT_CONTAINER = o=acme
DirectoryService/realms/jndi/params/CONTAINER_OBJECT = c=countryou=organizationalUnito=organizationdc=domaint=treeRoot
DirectoryService/realms/jndi/params/AUTHORITY = edirServer.corp.acme.net
DirectoryService/realms/jndi/params/USER_SEARCH_SCOPE = subtree
DirectoryService/realms/jndi/params/DYNAMIC_GROUP_OBJECT = dynamicGroup
DirectoryService/realms/jndi/params/USER_GROUP_MEMBER_ATTRIB = groupMembership
DirectoryService/realms/jndi/params/MANDATORY_SECURE_ADMIN_CONNECTION = true
DirectoryService/realms/jndi/params/DRIVER_SET_ROOT = cn=DriverSet01,ou=idm,ou=system,o=acme

 

These look copied from ones I specifically set.  Not sure how/when that happened.

 

 

0 Likes
RandyR Valued Contributor.
Valued Contributor.

Re: Intermediate Certificate causes "peer not authenticated" on Integration Activities in

Jump to solution

Hello,

I was able to get it to finally work by adding the intermediate certificate to the idm.jks store.  Looking in the trace, it loads all of those certificates when tomcat starts. By default the intermediate certificate is in the cacerts, as I have a publicly trusted cert.  I am not a fan of putty every certificate in every store, as for me it just causes confusion down the road.  Here is what I have in each store, in a working system. 

/opt/netiq/idm/apps/tomcat/conf/tomcat.ks - Tomcat Private Key with an alias of tomcat (I added this)

/opt/netiq/idm/apps/tomcat/conf/idm.jks - eDir Root cert (added during install) and I added the intermediate certificate here.

/opt/netiq/common/jre/lib/security/cacerts - Did not change any, as I am using a publicly trusted certificate, if not would need to add the root here.

/opt/netiq/idm/apps/osp/osp.jks - Private Key for osp (created during install)

Thanks,

 

 

View solution in original post

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.