Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Manager 4.1
NetIQ Access Manager 4.2
NetIQ Access Manager 4.3
3rd party certificates used by IDP/ESP/LAG
NetIQ Access Manager 4.0
NetIQ Access Manager 4.1
NetIQ Access Manager 4.2
NetIQ Access Manager 4.3
3rd party certificates used by IDP/ESP/LAG
Situation
Access Manager Identity (IDP) Server setup as a SAML 2 Identity Provider. A
trust relationship needs to be setup with a SAML2 3rd part Service (SP)
Provider. The 3rd party SAML2 SPs metadata was imported into the Admin Console
successfully and the changes were applied. After users successfully
authenticated to the IDP server and tried to access the SP, an error about an "invalid trusted provider' was displayed:
Error:The request to provide authentication to a service provider has failed. (300101050-039ADD61106FBB8A)
Error:The request to provide authentication to a service provider has failed. (300101050-039ADD61106FBB8A)
Resolution
Add the signing certificate used by the OCSP server to the NIDP-OCSP trust
store, or use the following configuration change on the IDP server to work
around / disable OCSP-CRL checking.
On Linux 3.1 IDP:
On Linux 3.1 IDP:
modify /var/opt/novell/tomcat5/conf/tomcat5.conf file and add
JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.serverOCSPCRL=false"
Restart Tomcat
On Linux 3.2/4.0 IDP:
On Linux 3.2/4.0 IDP:
modify /opt/novell/nam/idp/conf/tomcat7.conf and add
JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.serverOCSPCRL=false"
Restart Tomcat
On Linux 4.1/4.2/4.3 IDP:
on Windows:On Linux 4.1/4.2/4.3 IDP:
modify /opt/novell/nam/idp/conf/tomcat.conf and add
JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.serverOCSPCRL=false"
Restart Tomcat
Run C:\Program Files (x86)\Novell\Tomcat\bin\tomcat5w.exe
Add -Dcom.novell.nidp.serverOCSPCRL=false under the Java options on the
Java tab
Apply and restart Tomcat
Additional Information
When importing SAML metadata, references to signing and/or encryption
certificates exist. These certificates need to be validated before the trusted
provider is loaded successfully. Part of this validation process may involve
checking whether the server certificate is revocated or not - via either OCSP or
CRL checks. If the OCSP/CRL server cannot be contacted by the IDP server, the
validation process will fail and the following errors may be displayed in the
catalina.out(linux) or stdout.log(Windows). Note that the IDP Application and
SAML2 component log level must be set to DEBUG to troubeshoot SAML2 issues like
this:
<amLogEntry> 2010-11-23T19:13:03Z DEBUG NIDS Application:
Method: X509Util.buildAndValidateCertPath
Thread: RMI TCP Connection(2)-127.0.0.1
Error processing certificate validations </amLogEntry>
Method: X509Util.buildAndValidateCertPath
Thread: RMI TCP Connection(2)-127.0.0.1
Error processing certificate validations </amLogEntry>
<amLogEntry> 2010-11-23T19:13:03Z SEVERE NIDS Application:
AM#200104023: AMDEVICEID#48697BFC32B8665A: Error processing OCSP Response for
certificate with subject : Response seems to be signed with untrusted
certificate! </amLogEntry>
<amLogEntry> 2010-11-23T19:13:03Z SEVERE NIDS Application:
AM#100105007: AMDEVICEID#48697BFC32B8665A: Error verifying metadata
certificates while loading trusted provider https://ids.lab.novell.com/nidp/saml2/metadata
com.novell.nidp.NIDPException: Error processing OCSP Response for certificate with subject : AM#100105007: AMDEVICEID#48697BFC32B8665A: Root Cause: org.bouncycastle.ocsp.OCSPException: Response seems to be signed with untrusted certificate! </amLogEntry>
com.novell.nidp.NIDPException: Error processing OCSP Response for certificate with subject : AM#100105007: AMDEVICEID#48697BFC32B8665A: Root Cause: org.bouncycastle.ocsp.OCSPException: Response seems to be signed with untrusted certificate! </amLogEntry>
We can see that the request was sent to the OCSP server but the response
returned could not be validated. Only when the OCSP server signing certificate
is imported into the NIDP OCSP trutrstore will the IDP be capable of validating
the signed response.