So, I've got a VMware Identity Manager set up and good to go and have been trying to establish a set of UAGs in our DMZ for access to the VIDM portal. However, when everything is deployed and set up (certificates, static routes and whatnot in the UAG) I'm being presented with an error when trying to access VIDM through a UAG:
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
The entries in the esmanager.log file on the UAG looks like this:
INFO proxy.HttpsProxyRequestHandler[write: 121][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: created session: 801d8339-b2df-4ba2-a391-4975fc8fa0fa for the channel: [id: 0xdc7ad3a1, L:/192.168.90.11:6443 - R:/192.168.90.15:49693] having expires at: Wed Dec 06 21:29:05 UTC 2017
INFO interceptor.WsPortalProxyRequestInterceptor[intercept: 67][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: Session id: 801d8339-b2df-4ba2-a391-4975fc8fa0fa is of type: WEB_REVERSE_PROXY
ERROR ssl.HttpsProxySslEngineFactory[checkServerTrusted: 249][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: Could not find a trusted certificate thumbprint that matches any of the server certificates due to mismatch in thumbprints
WARN proxy.HttpsProxyInterceptorHandler[exceptionCaught: 336][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: Exception Caught: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
INFO wsportal.WsPortalEdgeServiceHelper[getResponseForException: 364][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: Sending internal server error with message: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
The certificate thats being presented is the correct one for the loadbalancer in front of the UAG (and not the same thats used for VIDM).
My setup is planned to look like this:
DMZ Load balancer -> UAG appliances -> LAN Load balancer -> VIDM appliances
From reading various docs, I thought certificates were supposed to be deployed like this:
DMZ Load balancer: cert-ext.example.com
UAG Appliances: cert-ext.example.com
LAN Load balancer: cert-int.example.com
VIDM Appliances: cert-int.example.com
I.e. the certificate that UAG presents to the users webbrowser is not the same as the certificate presented by the VIDM nor the VIDM loadbalancer on the internal LAN.
Reading the error messages, is it possible that I've misunderstood how certificates should be done here? Do you need the same certificate on all components through the "chain"?
Any help appreciated! Thanks!
VIDM 3.0 Build 6651498
NetScaler loadbalancer in both LAN and DMZ