Tech Tip : CA Single Sign-On : Secure Proxy Server back-end Server(sernername) Certificate presented is bad

Document created by Osarobo_Idehen Employee on Sep 8, 2017
Version 1Show Document
  • View in full screen mode

Issue:


We are trying to reverse proxy to Wildfly 8.2 Jboss on https port from SPS. Though both Apache on SPS and Jboss are listening on https ports, but when the reverse proxy rule is configured to forward request to Jboss on https port it fails with a noodle error.

The back-end Server(sernername) Certificate presented is bad

 

spsagenttrace.log :

[08/04/2017][12:44:17][5004][884][33b5b34e-f64f45eb-91beae44-a318f9e8-2f66bc4d-49][execute][Tried to send the request to backend web server three times.Throwing the exception to client. ]

[08/04/2017][12:44:17][5004][884][33b5b34e-f64f45eb-91beae44-a318f9e8-2f66bc4d-49][Noodle::doGet][com.rsa.ssl.SSLException: Certificate for <abc.xyz.com/192.168.1.2> is not trusted or bad certificate at com.netegrity.util.security.rsa.AbstractHostVerifier.verify(Unknown Source)]

 

When proxy rule is configured to forward request to Jboss on http port it works.

 

How can we resolve this issue?



Environment:

 

CA Access Gateway (SPS) 12.6 SP1



Cause:


The back-end Server Certificate was not in the ca-bundle.cert of the SPS.



Resolution:


Adding the self-signed certificate of the back-end server in the ca-bundle.cert file resolved the issue. Refer to the following link to get steps to add it to the SPS ca-bundle.cert file :

 

Configuring SSL on HttpClient Noodle Manually

Download and Install the Certificates from the Certificate Authority

https://docops.ca.com/ca-single-sign-on/12-6-01/en/configuring/ca-access-gateway-configuration/configuring-ssl-for-ca-access-gateway/configuring-ssl-on-httpclient-noodle-manually

 

 

 

KD : TEC1487816

Attachments

    Outcomes