Hi all
So, I've got a VMware Identity Manager set up and good to go and have been trying to establish a set of UAGs in our DMZ for access to the VIDM portal. However, when everything is deployed and set up (certificates, static routes and whatnot in the UAG) I'm being presented with an error when trying to access VIDM through a UAG:
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
The entries in the esmanager.log file on the UAG looks like this:
INFO proxy.HttpsProxyRequestHandler[write: 121][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: created session: 801d8339-b2df-4ba2-a391-4975fc8fa0fa for the channel: [id: 0xdc7ad3a1, L:/192.168.90.11:6443 - R:/192.168.90.15:49693] having expires at: Wed Dec 06 21:29:05 UTC 2017
INFO interceptor.WsPortalProxyRequestInterceptor[intercept: 67][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: Session id: 801d8339-b2df-4ba2-a391-4975fc8fa0fa is of type: WEB_REVERSE_PROXY
ERROR ssl.HttpsProxySslEngineFactory[checkServerTrusted: 249][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: Could not find a trusted certificate thumbprint that matches any of the server certificates due to mismatch in thumbprints
WARN proxy.HttpsProxyInterceptorHandler[exceptionCaught: 336][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: Exception Caught: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
INFO wsportal.WsPortalEdgeServiceHelper[getResponseForException: 364][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: Sending internal server error with message: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
The certificate thats being presented is the correct one for the loadbalancer in front of the UAG (and not the same thats used for VIDM).
My setup is planned to look like this:
DMZ Load balancer -> UAG appliances -> LAN Load balancer -> VIDM appliances
From reading various docs, I thought certificates were supposed to be deployed like this:
DMZ Load balancer: cert-ext.example.com
UAG Appliances: cert-ext.example.com
LAN Load balancer: cert-int.example.com
VIDM Appliances: cert-int.example.com
I.e. the certificate that UAG presents to the users webbrowser is not the same as the certificate presented by the VIDM nor the VIDM loadbalancer on the internal LAN.
Reading the error messages, is it possible that I've misunderstood how certificates should be done here? Do you need the same certificate on all components through the "chain"?
Any help appreciated! Thanks!
Components:
VIDM 3.0 Build 6651498
NetScaler loadbalancer in both LAN and DMZ
UAG 3.1.1
vIDM only supports one namespace. So the FQDN for internal vs. external load balancers must be the same. So having different certificates is not applicable. You should use the same cert on both internal LB as the external facing..
vIDM only supports one namespace. So the FQDN for internal vs. external load balancers must be the same. So having different certificates is not applicable. You should use the same cert on both internal LB as the external facing..
Thanks Peter, I really appreciate you answering.
Went through all the hurdles of replacing the certificates in all components so it's now all inside one namespace. Redeployed the UAG with the new certificate, but I'm still getting the same error message, albeit a different output in the logs.
Tried to reboot the appliance after deployment as well, same results.
esmanager.log:
INFO proxy.HttpsProxyRequestHandler[write: 121][4e787a4d-6dca-4ca2-b756-4789ca2a46b3]: created session: 4e787a4d-6dca-4ca2-b756-4789ca2a46b3 for the channel: [id: 0xa5beb1b7, L:/ip-redacted:6443 - R:/ip-redacted:8085] having expires at: Tue Dec 12 23:56:48 UTC 2017
INFO interceptor.WsPortalProxyRequestInterceptor[intercept: 67][4e787a4d-6dca-4ca2-b756-4789ca2a46b3]: Session id: 4e787a4d-6dca-4ca2-b756-4789ca2a46b3 is of type: WEB_REVERSE_PROXY
ERROR ssl.HttpsProxySslEngineFactory[checkServerTrusted: 262][4e787a4d-6dca-4ca2-b756-4789ca2a46b3]: Error occurred due to missing thumbprints: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
WARN proxy.HttpsProxyInterceptorHandler[exceptionCaught: 336][4e787a4d-6dca-4ca2-b756-4789ca2a46b3]: Exception Caught: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
INFO wsportal.WsPortalEdgeServiceHelper[getResponseForException: 364][4e787a4d-6dca-4ca2-b756-4789ca2a46b3]: Sending internal server error with message: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
I jumped the gun here.
I also had to supply the Certificate Thumbprint inside the Reverse Proxy settings in the UAG Web GUI. It all works now.
Your solution was the correct one after all Peter, so I'm marking it up as correct. Thanks again! Lifesaver!