Symantec Access Management

Expand all | Collapse all

Error after updating Cert in one DSA

  • 1.  Error after updating Cert in one DSA

    Posted Aug 16, 2017 12:23 PM

    Opening this thread on behalf of SatyendraSingh1

     

    Error Snippet.

    ssld_ssl_request failed
    [WARN : TLS/SSL handshake failed for call from 'ipaddres'
    WARN : MW-DISP not in sync for 'dsaname'

     

    SatyendraSingh1 could I request you to action the following....

    [1] Paste all the logs lines from console output.

    [2] Paste the lines from ALARM logs.

    [3] Paste the lines from TRACE logs.

     

    As per SatyendraSingh1 there were multiple DSA's in replication. One of the DSA's certs expired and hence it was renewed. Post Renewal there was a Certificate Chain error logged. That was possibily fixed by adding the RootCA (a different RootCA signed the new certificate & new RootCA was not imported). Now we are getting the error as per the snippet above.



  • 2.  Re: Error after updating Cert in one DSA

    Posted Aug 16, 2017 12:35 PM

    For Console Logging do the following.

     

    Open a command prompt on the DSA where you are getting the error message.

    In the command prompt type "telnet localhost <consolePortNumber>".
    NOTE : The port number is defined in the knowledge file e.g. “set dsa = { … console-port = xxxxx … };”

    Once connected, type "set trace = all;" and hit enter.

    Now perform the transaction and you should see a detailed error in console window.



  • 3.  Re: Error after updating Cert in one DSA

    Posted Aug 16, 2017 12:49 PM

    First of all, Thank you Hubert for creating this thread.

    Could you please let me now which command output you are seeking here ?

     

    Snippet from alarm log:

    [8] 20170816.123348.168 DSA_E2735 Multiwrite-DISP: Unable to synchronize with peer 'usrstore-node-10'
    [7] 20170816.123348.168 DSA_E2735 Multiwrite-DISP: Unable to synchronize with peer 'usrstore-node-08'
    [6] 20170816.123348.168 DSA_E2735 Multiwrite-DISP: Unable to synchronize with peer 'usrstore-node-09'
    [2] 20170816.123348.284 DSA_E2735 Multiwrite-DISP: Unable to synchronize with peer 'usrstore-node-02'
    [3] 20170816.123348.288 DSA_E2735 Multiwrite-DISP: Unable to synchronize with peer 'usrstore-node-05'
    [1] 20170816.123348.293 DSA_E2735 Multiwrite-DISP: Unable to synchronize with peer 'usrstore-node-01'
    [6] 20170816.123348.294 DSA_E2735 Multiwrite-DISP: Unable to synchronize with peer 'usrstore-node-06'

     

    Snippet from warn log:

    [5] 20170816.124300.185 WARN : Verify error 26: unsupported certificate purpose
    [5] 20170816.124300.185 WARN : SSL Error
    [5] 20170816.124300.185 WARN : 7f99e408ca78-   16030314 980b0014 94001491 0005c230    ...............0
    [5] 20170816.124300.185 WARN : 7f99e408ca88-   8205be30 8204a6a0 03020102 02131a00    ...0............
    [5] 20170816.124300.185 WARN : 7f99e408ca98-   0000fd40 4adbd35b f6992800 00000000    ...@J..[..(.....
    [5] 20170816.124300.185 WARN : 7f99e408caa8-   fd300d06 092a8648 86f70d01 010b0500    .0...*.H........
    [5] 20170816.124300.185 WARN : 7f99e408cab8-   30713113 3011060a 09922689 93f22c64    0q1.0.....&...,d
    [5] 20170816.124300.185 WARN : 5:error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed:s3_srvr.c:3283:
    [5] 20170816.124300.185 WARN : ssld_ssl_request failed
    [5] 20170816.124300.185 WARN : TLS/SSL handshake failed for call from 10.69.104.179:36186
    [0] 20170816.124358.247 WARN : MW-DISP not in sync for 'usrstore-node-08'
    [0] 20170816.124358.247 WARN : Attempting to send update to peer 'usrstore-node-08'
    [0] 20170816.124358.254 WARN : MW-DISP not in sync for 'usrstore-node-09'
    [0] 20170816.124358.254 WARN : Attempting to send update to peer 'usrstore-node-09'
    [0] 20170816.124358.254 WARN : MW-DISP not in sync for 'usrstore-node-10'
    [0] 20170816.124358.254 WARN : Attempting to send update to peer 'usrstore-node-10'
    [0] 20170816.124358.254 WARN : MW-DISP not in sync for 'usrstore-node-01'
    [0] 20170816.124358.254 WARN : Attempting to send update to peer 'usrstore-node-01'
    [0] 20170816.124358.255 WARN : MW-DISP not in sync for 'usrstore-node-02'
    [0] 20170816.124358.255 WARN : Attempting to send update to peer 'usrstore-node-02'
    [0] 20170816.124358.255 WARN : MW-DISP not in sync for 'usrstore-node-05'
    [0] 20170816.124358.255 WARN : Attempting to send update to peer 'usrstore-node-05'
    [0] 20170816.124358.255 WARN : MW-DISP not in sync for 'usrstore-node-06'
    [0] 20170816.124358.255 WARN : Attempting to send update to peer 'usrstore-node-06'

     

    Let me know, if you need



  • 4.  Re: Error after updating Cert in one DSA

    Posted Aug 16, 2017 01:12 PM

    We need to resolve the Certificate Error Issue. Once that is resolved MW-DISP will go away (it is just the SSL handshake error which is preventing any further action).

     

    Circling back to Certificate issue. For the Error message "Verify error 26: unsupported certificate purpose", found a relevant blog which helps!

    https://communities.ca.com/thread/241748908 

     

    If you have openssl, you can verify the usage of the Public Certificate using the below command.

    openssl x509 -in server.crt -text -noout

     

     

    What you'd want to see is specifically if the new Certificate that was obtained supports the following.

     



  • 5.  Re: Error after updating Cert in one DSA

    Posted Aug 16, 2017 02:13 PM

    Hello Hubert,

    I tried this command : openssl x509 -in usrstore-node-07.pem -text -noout

    which gave me below output, I am wondering if this is sufficient?

     

     X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                1.3.6.1.4.1.311.21.7:
                    0+.#+.....7........0...)...g..cf..`...:..d...
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication
                1.3.6.1.4.1.311.21.10:
                    0.0

     

    I also tried openssl x509 -in usrstore-node-07.pem -text -noout -purpose, which gives me some additional output:

     

    Certificate purposes:
    SSL client : No
    SSL client CA : No
    SSL server : Yes
    SSL server CA : No
    Netscape SSL server : Yes
    Netscape SSL server CA : No
    S/MIME signing : No
    S/MIME signing CA : No
    S/MIME encryption : No
    S/MIME encryption CA : No
    CRL signing : No
    CRL signing CA : No
    Any Purpose : Yes
    Any Purpose CA : Yes
    OCSP helper : Yes
    OCSP helper CA : No
    Time Stamp signing : No
    Time Stamp signing CA : No

     

    Is this what we are looking for?



  • 6.  Re: Error after updating Cert in one DSA

    Posted Aug 16, 2017 02:20 PM

    Yes that is it.

     

    Certificate purposes:
    SSL client : No
    SSL client CA : No
    SSL server : Yes

     

    As per the SSL handshake requirement between 2 DSA's we need SSL Client to be set as YES.

     

    We can verify or prove that SSL Client needs to be YES by running the openssl command against a working DSA instance which currently has a non expiring certificate OR even if we ran the openssl command on the expired certificate - that'd help.



  • 7.  Re: Error after updating Cert in one DSA

    Posted Aug 16, 2017 02:26 PM

    I ran the command on a node which has working certificate and it gave me different output:

    Certificate purposes:
    SSL client : Yes
    SSL client CA : No
    SSL server : Yes
    SSL server CA : No
    Netscape SSL server : Yes
    Netscape SSL server CA : No
    S/MIME signing : Yes
    S/MIME signing CA : No
    S/MIME encryption : Yes
    S/MIME encryption CA : No
    CRL signing : Yes
    CRL signing CA : No
    Any Purpose : Yes
    Any Purpose CA : Yes
    OCSP helper : Yes
    OCSP helper CA : No
    Time Stamp signing : No
    Time Stamp signing CA : No

    Here we can clearly see that SSL Client is set to Yes .

    Now what can be done further ? How can we get it changed? Do we need to get new certs or Is their any way?



  • 8.  Re: Error after updating Cert in one DSA

    Posted Aug 16, 2017 02:35 PM

    When you procure the certs it needs to be SSL Client and SSL Server set to YES. You can always reach out to the Certification Authority and request an updated certificate. It may need a new CSR to be generated. I am not sure if you can resubmit a old CSR (few days old, which resulted in the current cert with SSL Client = NO).



  • 9.  Re: Error after updating Cert in one DSA

    Posted Aug 16, 2017 03:31 PM

    Thanks a lot Hubert! do we have this anywhere in document?

    I have requested my Certificate Authority to reissue certs with updated attributes. I will keep you posted over here about how it goes.

    Thanks again for your help  Much appreciated



  • 10.  Re: Error after updating Cert in one DSA

    Posted Aug 16, 2017 03:51 PM

    I haven't seen in the documentation explicitly the words "SSL CLIENT needs to be YES". But the documentation does speak about "Mutual Authentication" a.k.a two way SSL. 

     

    DSA Certificates - CA Directory - 12.6 - CA Technologies Documentation : Refer to the Section "Sharing Certificates Between DSAs".



  • 11.  Re: Error after updating Cert in one DSA

    Posted Aug 16, 2017 07:09 PM

    I am in the processing of reworking the certificate management section of the CA Directory documentation.

    The plan is to incorporate all these discussions regarding certificate generation/re-generation, client/DSA configuration & troubleshooting.



  • 12.  Re: Error after updating Cert in one DSA

    Posted Mar 01, 2018 04:02 AM

    Just to update, though its delayed reply.

    Our issue got resolved as in the end, as we had to get the certificates from the same root CA