How to disable OCSP and CRL checking in Access Manager (error 300101050)

  • 7007282
  • 01-Dec-2010
  • 23-Aug-2017

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Manager 4.1
NetIQ Access Manager 4.2
NetIQ Access Manager 4.3
3rd party certificates used by IDP/ESP/LAG

Situation

Access Manager Identity (IDP) Server setup as a SAML 2 Identity Provider. A trust relationship needs to be setup with a SAML2 3rd part Service (SP) Provider. The 3rd party SAML2 SPs metadata was imported into the Admin Console successfully and the changes were applied. After users successfully authenticated to the IDP server and tried to access the SP, an error about an "invalid trusted provider' was displayed:

Error:The request to provide authentication to a service provider has failed. (300101050-039ADD61106FBB8A)

Resolution

Add the signing certificate used by the OCSP server to the NIDP-OCSP trust store, or use the following configuration change on the IDP server to work around / disable OCSP-CRL checking.
 
On Linux 3.1 IDP:
 
modify /var/opt/novell/tomcat5/conf/tomcat5.conf file and add
 
JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.serverOCSPCRL=false"
 
Restart Tomcat

On Linux 3.2/4.0 IDP:
 
modify  /opt/novell/nam/idp/conf/tomcat7.conf and add
 
JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.serverOCSPCRL=false"
 
Restart Tomcat

On Linux 4.1/4.2/4.3 IDP:
 
modify  /opt/novell/nam/idp/conf/tomcat.conf and add
 
JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.serverOCSPCRL=false"
 
Restart Tomcat

on Windows:
 
Run C:\Program Files (x86)\Novell\Tomcat\bin\tomcat5w.exe
 
Add -Dcom.novell.nidp.serverOCSPCRL=false under the Java options on the Java tab
 
Apply and restart Tomcat

Additional Information

When importing SAML metadata, references to signing and/or encryption certificates exist. These certificates need to be validated before the trusted provider is loaded successfully. Part of this validation process may involve checking whether the server certificate is revocated or not - via either OCSP or CRL checks. If the OCSP/CRL server cannot be contacted by the IDP server, the validation process will fail and the following errors may be displayed in the catalina.out(linux) or stdout.log(Windows). Note that the IDP Application and SAML2 component log level must be set to DEBUG to troubeshoot SAML2 issues like this:
 
<amLogEntry> 2010-11-23T19:13:03Z DEBUG NIDS Application:
Method: X509Util.buildAndValidateCertPath
Thread: RMI TCP Connection(2)-127.0.0.1
Error processing certificate validations </amLogEntry>
 
<amLogEntry> 2010-11-23T19:13:03Z SEVERE NIDS Application: AM#200104023: AMDEVICEID#48697BFC32B8665A:  Error processing OCSP Response for certificate with subject : Response seems to be signed with untrusted certificate! </amLogEntry>
 
<amLogEntry> 2010-11-23T19:13:03Z SEVERE NIDS Application: AM#100105007: AMDEVICEID#48697BFC32B8665A:  Error verifying metadata certificates while loading trusted provider https://ids.lab.novell.com/nidp/saml2/metadata
 com.novell.nidp.NIDPException: Error processing OCSP Response for certificate with subject : AM#100105007: AMDEVICEID#48697BFC32B8665A:  Root Cause: org.bouncycastle.ocsp.OCSPException: Response seems to be signed with untrusted certificate! </amLogEntry>
 
We can see that the request was sent to the OCSP server but the response returned could not be validated. Only when the OCSP server signing certificate is imported into the NIDP OCSP trutrstore will the IDP be capable of validating the signed response.