3 Replies Latest reply on Dec 12, 2017 6:17 AM by jse8619

    UAG and VIDM w/load balancing, not having any luck

    jse8619 Novice

      Hi all

       

      So, I've got a VMware Identity Manager set up and good to go and have been trying to establish a set of UAGs in our DMZ for access to the VIDM portal. However, when everything is deployed and set up (certificates, static routes and whatnot in the UAG) I'm being presented with an error when trying to access VIDM through a UAG:

       

      javax.net.ssl.SSLHandshakeException: General SSLEngine problem

       

      The entries in the esmanager.log file on the UAG looks like this:

      INFO  proxy.HttpsProxyRequestHandler[write: 121][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: created session: 801d8339-b2df-4ba2-a391-4975fc8fa0fa for the channel: [id: 0xdc7ad3a1, L:/192.168.90.11:6443 - R:/192.168.90.15:49693] having expires at: Wed Dec 06 21:29:05 UTC 2017

      INFO  interceptor.WsPortalProxyRequestInterceptor[intercept: 67][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: Session id: 801d8339-b2df-4ba2-a391-4975fc8fa0fa is of type: WEB_REVERSE_PROXY

      ERROR ssl.HttpsProxySslEngineFactory[checkServerTrusted: 249][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: Could not find a trusted certificate thumbprint that matches any of the server certificates due to mismatch in thumbprints

      WARN  proxy.HttpsProxyInterceptorHandler[exceptionCaught: 336][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: Exception Caught: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

      INFO  wsportal.WsPortalEdgeServiceHelper[getResponseForException: 364][801d8339-b2df-4ba2-a391-4975fc8fa0fa]: Sending internal server error with message: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

      The certificate thats being presented is the correct one for the loadbalancer in front of the UAG (and not the same thats used for VIDM).

       

      My setup is planned to look like this:

       

      DMZ Load balancer -> UAG appliances -> LAN Load balancer -> VIDM appliances

       

      From reading various docs, I thought certificates were supposed to be deployed like this:

       

      DMZ Load balancer: cert-ext.example.com

      UAG Appliances: cert-ext.example.com

      LAN Load balancer: cert-int.example.com

      VIDM Appliances: cert-int.example.com

       

      I.e. the certificate that UAG presents to the users webbrowser is not the same as the certificate presented by the VIDM nor the VIDM loadbalancer on the internal LAN.

      Reading the error messages, is it possible that I've misunderstood how certificates should be done here? Do you need the same certificate on all components through the "chain"?

       

      Any help appreciated! Thanks!

       

      Components:

      VIDM 3.0 Build 6651498

      NetScaler loadbalancer in both LAN and DMZ

      UAG 3.1.1

        • 1. Re: UAG and VIDM w/load balancing, not having any luck
          pbjork Master
          vExpertVMware Employees

          vIDM only supports one namespace. So the FQDN for internal vs. external load balancers must be the same. So having different certificates is not applicable. You should use the same cert on both internal LB as the external facing..

          • 2. Re: UAG and VIDM w/load balancing, not having any luck
            jse8619 Novice

            Thanks Peter, I really appreciate you answering.

             

            Went through all the hurdles of replacing the certificates in all components so it's now all inside one namespace. Redeployed the UAG with the new certificate, but I'm still getting the same error message, albeit a different output in the logs.

            Tried to reboot the appliance after deployment as well, same results.

             

            esmanager.log:

            INFO  proxy.HttpsProxyRequestHandler[write: 121][4e787a4d-6dca-4ca2-b756-4789ca2a46b3]: created session: 4e787a4d-6dca-4ca2-b756-4789ca2a46b3 for the channel: [id: 0xa5beb1b7, L:/ip-redacted:6443 - R:/ip-redacted:8085] having expires at: Tue Dec 12 23:56:48 UTC 2017

             

            INFO  interceptor.WsPortalProxyRequestInterceptor[intercept: 67][4e787a4d-6dca-4ca2-b756-4789ca2a46b3]: Session id: 4e787a4d-6dca-4ca2-b756-4789ca2a46b3 is of type: WEB_REVERSE_PROXY

             

            ERROR ssl.HttpsProxySslEngineFactory[checkServerTrusted: 262][4e787a4d-6dca-4ca2-b756-4789ca2a46b3]: Error occurred due to missing thumbprints: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

             

            WARN  proxy.HttpsProxyInterceptorHandler[exceptionCaught: 336][4e787a4d-6dca-4ca2-b756-4789ca2a46b3]: Exception Caught: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

             

            INFO  wsportal.WsPortalEdgeServiceHelper[getResponseForException: 364][4e787a4d-6dca-4ca2-b756-4789ca2a46b3]: Sending internal server error with message: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

            • 3. Re: UAG and VIDM w/load balancing, not having any luck
              jse8619 Novice

              I jumped the gun here.

               

              I also had to supply the Certificate Thumbprint inside the Reverse Proxy settings in the UAG Web GUI. It all works now.

               

              Your solution was the correct one after all Peter, so I'm marking it up as correct. Thanks again! Lifesaver!

              1 person found this helpful