Highlighted
Contributor
Contributor

UAG and VIDM w/load balancing, not having any luck

Jump to solution

Hi all

So, I've got a VMware Identity Manager set up and good to go and have been trying to establish a set of UAGs in our DMZ for access to the VIDM portal. However, when everything is deployed and set up (certificates, static routes and whatnot in the UAG) I'm being presented with an error when trying to access VIDM through a UAG:

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

The entries in the esmanager.log file on the UAG looks like this:

INFO  proxy.HttpsProxyRequestHandler[write: 121][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: created session: 801d8339-b2df-4ba2-a391-4975fc8fa0fa for the channel: [id: 0xdc7ad3a1, L:/192.168.90.11:6443 - R:/192.168.90.15:49693] having expires at: Wed Dec 06 21:29:05 UTC 2017

INFO  interceptor.WsPortalProxyRequestInterceptor[intercept: 67][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: Session id: 801d8339-b2df-4ba2-a391-4975fc8fa0fa is of type: WEB_REVERSE_PROXY

ERROR ssl.HttpsProxySslEngineFactory[checkServerTrusted: 249][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: Could not find a trusted certificate thumbprint that matches any of the server certificates due to mismatch in thumbprints

WARN  proxy.HttpsProxyInterceptorHandler[exceptionCaught: 336][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: Exception Caught: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

INFO  wsportal.WsPortalEdgeServiceHelper[getResponseForException: 364][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: Sending internal server error with message: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

The certificate thats being presented is the correct one for the loadbalancer in front of the UAG (and not the same thats used for VIDM).

My setup is planned to look like this:

DMZ Load balancer -> UAG appliances -> LAN Load balancer -> VIDM appliances

From reading various docs, I thought certificates were supposed to be deployed like this:

DMZ Load balancer: cert-ext.example.com

UAG Appliances: cert-ext.example.com

LAN Load balancer: cert-int.example.com

VIDM Appliances: cert-int.example.com

I.e. the certificate that UAG presents to the users webbrowser is not the same as the certificate presented by the VIDM nor the VIDM loadbalancer on the internal LAN.

Reading the error messages, is it possible that I've misunderstood how certificates should be done here? Do you need the same certificate on all components through the "chain"?

Any help appreciated! Thanks!

Components:

VIDM 3.0 Build 6651498

NetScaler loadbalancer in both LAN and DMZ

UAG 3.1.1

1 Solution

Accepted Solutions
Highlighted
VMware Employee
VMware Employee

vIDM only supports one namespace. So the FQDN for internal vs. external load balancers must be the same. So having different certificates is not applicable. You should use the same cert on both internal LB as the external facing..

View solution in original post

0 Kudos
3 Replies
Highlighted
VMware Employee
VMware Employee

vIDM only supports one namespace. So the FQDN for internal vs. external load balancers must be the same. So having different certificates is not applicable. You should use the same cert on both internal LB as the external facing..

View solution in original post

0 Kudos
Highlighted
Contributor
Contributor

Thanks Peter, I really appreciate you answering.

Went through all the hurdles of replacing the certificates in all components so it's now all inside one namespace. Redeployed the UAG with the new certificate, but I'm still getting the same error message, albeit a different output in the logs.

Tried to reboot the appliance after deployment as well, same results.

esmanager.log:

INFO  proxy.HttpsProxyRequestHandler[write: 121][4e787a4d-6dca-4ca2-b756-4789ca2a46b3]: created session: 4e787a4d-6dca-4ca2-b756-4789ca2a46b3 for the channel: [id: 0xa5beb1b7, L:/ip-redacted:6443 - R:/ip-redacted:8085] having expires at: Tue Dec 12 23:56:48 UTC 2017

INFO  interceptor.WsPortalProxyRequestInterceptor[intercept: 67][4e787a4d-6dca-4ca2-b756-4789ca2a46b3]: Session id: 4e787a4d-6dca-4ca2-b756-4789ca2a46b3 is of type: WEB_REVERSE_PROXY

ERROR ssl.HttpsProxySslEngineFactory[checkServerTrusted: 262][4e787a4d-6dca-4ca2-b756-4789ca2a46b3]: Error occurred due to missing thumbprints: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

WARN  proxy.HttpsProxyInterceptorHandler[exceptionCaught: 336][4e787a4d-6dca-4ca2-b756-4789ca2a46b3]: Exception Caught: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

INFO  wsportal.WsPortalEdgeServiceHelper[getResponseForException: 364][4e787a4d-6dca-4ca2-b756-4789ca2a46b3]: Sending internal server error with message: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

0 Kudos
Highlighted
Contributor
Contributor

I jumped the gun here.

I also had to supply the Certificate Thumbprint inside the Reverse Proxy settings in the UAG Web GUI. It all works now.

Your solution was the correct one after all Peter, so I'm marking it up as correct. Thanks again! Lifesaver!