maqsood1 Absent Member.
Absent Member.
341 views

NetIQ Identity Applicatin 4.7 SP2 -- SSL Wildcard Cert

Hello

Identity Application 4.7 SP2 runnin on RHEL 7.2.

After we added wildcard SSL certificate to tomcat keystore, we are having issues with Oauth server upon user login in identity applicaiton.

When user types in username and password and press login, Browser downloads "oath" file on the users pc, and pressing F5 or refresh again on browser makes user logs in successfully in Identity Application.

while seeing in the trace in the catalina.out, we see following


19-03-15T09:06:40Z, ERROR, oauth.OAuthConsumerServlet, 5071 ERROR_OAUTH_ERROR (unexpected error communicating with oauth server: password.pwm.error.PwmUnrecoverableException: 5071 ERROR_OAUTH_ERROR (error during oauth code resolver http request to oauth server, remote error: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: java.security.cert.CertificateException: server certificate {subject=CN=*.mycompany.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated} does not match a certificate in the configuration trust store.)))


How to resolve this issue?

Regards,
Maqsood.
Labels (1)
0 Likes
5 Replies
Micro Focus Expert
Micro Focus Expert

Re: NetIQ Identity Applicatin 4.7 SP2 -- SSL Wildcard Cert

On 3/16/19 4:06 PM, maqsood wrote:
>
> Hello
>
> Identity Application 4.7 SP2 runnin on RHEL 7.2.
>
> After we added wildcard SSL certificate to tomcat keystore, we are
> having issues with Oauth server upon user login in identity
> applicaiton.
>
> When user types in username and password and press login, Browser
> downloads "oath" file on the users pc, and pressing F5 or refresh
> again on browser makes user logs in successfully in Identity
> Application.
>
> while seeing in the trace in the catalina.out, we see following
>
>
> 19-03-15T09:06:40Z, ERROR, oauth.OAuthConsumerServlet, 5071
> ERROR_OAUTH_ERROR (unexpected error communicating with oauth server:
> password.pwm.error.PwmUnrecoverableException: 5071 ERROR_OAUTH_ERROR
> (error during oauth code resolver http request to oauth server, remote
> error: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request:
> java.security.cert.CertificateException: server certificate
> {subject=CN=*.mycompany.com, OU=PositiveSSL Wildcard, OU=Domain Control
> Validated} does not match a certificate in the configuration trust
> store.)))
>
>
> How to resolve this issue?
>
> Regards,
> Maqsood.
>
>

Greetings,
The error outlined is coming from SSPR and not the Identity
Applications. Did you import the certificate in SSPR via the
Administration?

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
maqsood1 Absent Member.
Absent Member.

Re: NetIQ Identity Applicatin 4.7 SP2 -- SSL Wildcard Cert

Hello Steven

We choose not to install SSPR with Identity Application, since we have "NetIQ Self Service Password Reset" a stand alone install webapp already installed on a separate servers. How to fix this issue than?
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NetIQ Identity Applicatin 4.7 SP2 -- SSL Wildcard Cert

maqsood <maqsood@no-mx.forums.microfocus.com> wrote:
>

Hello Steven

We choose not to install SSPR with Identity Application, since we have
"NetIQ Self Service Password Reset" a stand alone install webapp already
installed on a separate servers. How to fix this issue than?


--
maqsood
------------------------------------------------------------------------
maqsood's Profile: https://forums.novell.com/member.php?userid=12070
View this thread: https://forums.novell.com/showthread.php?t=511639

>


Hi.

It still seems to be behind the same OSP as Identity Applications (even if
installed separate on another server), and thereby you must import the
certificate to SSPR. If I recall correctly this is in the config page for
SSO in SSPR gui.

--
Best regards
Marcus
0 Likes
maqsood1 Absent Member.
Absent Member.

Re: NetIQ Identity Applicatin 4.7 SP2 -- SSL Wildcard Cert

Hello

Just wanted to update here, if other people have same issues;

The wildcard SSL cert (.pfx) needs to be imported into SSPR keystore, which i have not found where it is, but in SSPR Confguration Editor, Search for "Server Certificate",
and then menu appear to import Server Certificates, This menus otheriwse is not visible, Possibly bug!


in Stand alone SSPR, NetIQ has Article:

https://support.microfocus.com/kb/doc.php?id=7018545

2. The HTTPS (aka Tomcat or browser) cert. This is the certificate for the browser. It encrypts traffic between the SSPR webserver and the user's browser. With the SSPR 4 appliance install, ssl'ized traffic uses port 443. With the Windows msi or .war file installations secure traffic goes over port 8443 as it did with SSPR 3.x. If using the Appliance or Windows MSI install, this cert is administered in SSPR Configuration Editor -> Settings ->HTTPS Server -> Certificate. (This setting is not available with the .zip / .war install.) Import a PKCS12 / PFX or java key store certificate from a commercially signed certificate. TID 7018852 explains how to create a signed SSL certificate using Open SSL. See "Note 3" in the "additional information" section below for more detail.


but in Idenity Applicaiton SSPR, this menu is hidden "SSPR Configuration Editor -> Settings ->HTTPS Server -> Certificate." and only appeared if you search for it 🙂

Regards,

Maqsood.





Marcus;2496908 wrote:
maqsood <maqsood@no-mx.forums.microfocus.com> wrote:
>

Hello Steven

We choose not to install SSPR with Identity Application, since we have
"NetIQ Self Service Password Reset" a stand alone install webapp already
installed on a separate servers. How to fix this issue than?


--
maqsood
------------------------------------------------------------------------
maqsood's Profile: https://forums.novell.com/member.php?userid=12070
View this thread: https://forums.novell.com/showthread.php?t=511639

>


Hi.

It still seems to be behind the same OSP as Identity Applications (even if
installed separate on another server), and thereby you must import the
certificate to SSPR. If I recall correctly this is in the config page for
SSO in SSPR gui.

--
Best regards
Marcus
0 Likes
Knowledge Partner
Knowledge Partner

Re: NetIQ Identity Applicatin 4.7 SP2 -- SSL Wildcard Cert

maqsood wrote:

> Search for "Server Certificate",
> and then menu appear to import Server Certificates, This menus
> otheriwse is not visible, Possibly bug!


It may be one of the "advanced" options that are hidden by default. You can
unhide them all somewhere in the menu, IIRC.

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.