Symantec Access Management

I am seeing an issue with management-ui installation. I want to use my own certificates to secure Management UI web server communications. For that I have created private key, certificate and root certificate. I have made sure that the certificate is issued by Certificate Authority and I have Certificate Authority certificate as well. But when I am supplying all information, it is not proceeding and showing this error.

<----------------------- BEGIN SNIPPET FROM INSTALLATION ----------------------->

========================== DSA MONITORING QUESTIONS ===========================

Enter the port for the Monitoring Data DSA [11389]

============================ SCIM SERVER QUESTIONS ============================

Enter the port for the SCIM Server [3100]

Enter path to the CA certificate pem file [] /opt/data/certs/root-ca.pem

Enter path to the client certificate pem file [] /opt/data/certs/scim-rhel01.pem

/opt/data/certs/scim-rhel01.pem is not issued by CA with '/opt/data/certs/root-ca.pem' CA certificate

Enter path to the client certificate pem file []

<----------------------- END SNIPPET FROM INSTALLATION ----------------------->

Now I verify that the scim-rhel01.pem I am using is issued by root-ca.pem. I am not sure why it is throwing this error and how to get pass it. I am attaching root-ca.pem and scim-rhel01.pem for your reference.

I see there is a support case opened for this as well. Let's see which one of these two channels get a faster resolution.

I did open a support case - Not sure if that is the same.

shaku08

If we deselected the options for not providing custom certificates then the installer generates SelfSigned Certificates internally and handles this. 

Since we used Custom Certificates for the UI, hence the assumption is that we would use Custom Certificates also for SCIM Server. There is currently no option to bypass this. You'll need to provide a CLIENT certificate to proceed. 

I see that in "scim-rhel01.pem" we only have the CERTIFICATE. Private Key is missing. I think you'll need to provide a PEM file which has both CERT and PRIV Key within it. Typically I add the both BEGIN CERTIFICATE, END CERTIFICATE plus BEGIN PRIVATE KEY, END PRIVATE KEY into one file.

I did ask the same question whether we can use the same Certificates / RootCA for UI and SCIM. It seem using same certificate for UI plus SCIM is supported OR we could have different Certificates.

Even if we get past this screen by providing a valid Client Certificate, There is another defect. But there is a workaround as well.

I've added my comments as well in the documentation comment section to elaborate more on these configuration. Currently this is not detailed out.

when we provide custom certificates for UI, it asks for certificate and key files separately. I am guessing the that is the case with SCIM also. 

The error message categorically says that certificate is not issued by the Certificate Authority. It does not say anything about the key. In the installation documents it says 

<----------------------- BEGIN SNIPPET FROM INSTALLATION ----------------------->

Do you want to use your own certificates to secure Management UI web server communications?                                                                                                 
(Default: No) When you click "No", default certificates are created by the system. These certificates can be found in the following path: /opt/CA/Directory/management-ui/out  
If you click "Yes", provide the WebServer Certificate and WebServer Private Key File path.

<----------------------- END SNIPPET FROM INSTALLATION ----------------------->

Here, there is no mention of Certificate Authority.  

Ok this seems to be a defect in linux console install.

I just had the same issue last week on linux. But I received inputs via a Windows installation from Engg. I see in the screen shot for UI it asks for Webserver Certificate plus private key and for SCIM it asks for Root CA plus Client cert plus Client private key.

But it looks like the linux console mode configuration wizard does not go beyond the Client Cert and keep spewing that error of Root CA.

The work around is for an issue after the configuration wizard completes. But in case of linux we are stuck in a loop within configuration wizard.

At last I switched from UI to file based approach. Since there are multiple issues when using custom certs with UI installer. Thus completely bypassed the UI install and configuration.

Hi Hubert,

Are you saying we don't have this issue in graphical installation wizard? I believe linux does not have graphics installation wizard for Directory Management UI. Does it ?

Yes. That is correct and my understanding from all this.

Will wait for an update on the case you raised.

shaku08

A final update, I received a fix from Engineering for this issue. A new "dxmgmtuisetup.sh" script file. This updated script to be placed in install folder of Mangement UI after extracting the original installer .tar.gz file. If you have not received it on your case. Send me the case number and I could have it actioned.

Thanks Hubert, I received it from CA Support.

Hi,

I tried your way, added Certificate Authority certificate at the end of client certificate. Result is the same. it is not recognized as certificate issued by same CA.