NAM Access Gateway reports : "Error during SSL Handshake with remote server" after upgrading to NAM 4.3

  • 7018316
  • 23-Nov-2016
  • 23-Nov-2016

Environment

  • NetIQ Access Manager 4.3
  • NetIQ Access Manager Appliance 4.3
  • NetIQ Access Manager Access Gateway Appliance 4.3

Situation

  • Access Gateway Appliance / NAM Appliance has been upgraded to NAM 4.3

  • Access Gateway reports :

    Server error!
        
    The server encountered an internal error and was unable to complete your request.
    Error message:
    The proxy server could not handle the request GET [pathname].

    Reason: Error during SSL Handshake with remote server


  • The requested proxy server has been configured to run SSL with the protected back-end web server
      
  • Server Certificate validation has been enabled: "Web Server Trusted Root: Any in Reverse Proxy Trust Store"

  • No configuration change has been applied after running the upgrade to NAM 4.3

  • All required CA Certificates are available in the Proxy Trust Store

  • setting the "LogLevel error" in the Access gateway Advanced options will report the following error:
    "[error] Certificate Verification: Error (20): unable to get local issuer certificate"

  • reviewing the device manager logfiles at: "/opt/novell/devman/jcc/logs/" the following error has been found:
    =====================================================================================
    /opt/novell/devman/jcc/logs/jcc-0.log.0:INFO: Executing /opt/novell/ssllib/bin/c_rehash /opt/novell/apache2/cacerts
    /opt/novell/devman/jcc/logs/jcc-0.log.0:Cannot run program "/opt/novell/ssllib/bin/c_rehash" (in directory "/"): error=2, No such file or directory
    /opt/novell/devman/jcc/logs/jcc-0.log.0:java.io.IOException: Cannot run program "/opt/novell/ssllib/bin/c_rehash" (in directory "/"): error=2, No such file or directory
    /opt/novell/devman/jcc/logs/jcc-0.log.0:java.io.IOException: Cannot run program "/opt/novell/ssllib/bin/c_rehash" (in directory "/"): error=2, No such file or directory
    /opt/novell/devman/jcc/logs/jcc-0.log.0:java.io.IOException: Cannot run program "/opt/novell/ssllib/bin/c_rehash" (in directory "/"): error=2, No such file or directory

    =====================================================================================

Resolution

  • This issue has been reported to engineering

  • Workaround:

    • create the "/opt/novell/ssllib/bin/" directory
    • create the following "c_rehash" and place it into the "/opt/novell/ssllib/bin/" directory
      =======================================================
      #!/bin/sh
      # print out the hash values
      #
      # based on /etc/pki/tls/misc/c_hash part of the openssl-1.0.0
      #
      export OPENSSL_CONF=/opt/novell/openssl/ssl/openssl.cnf
      export LD_LIBRARY_PATH=/opt/novell/openssl/lib
      w="WellKnownThirdPartyTrustedRoots_auto.pem"

      die () {
         echo >&2 "$@"
         exit 1
      }

      #[ "$#" -eq 1 ] || die "One directory argument required, $# provided"
      #[ -d "$1" ] || die "Directory $1 does not exist"

      cd /opt/novell/apache2/cacerts
      printf "removing all old hash files \n"
      rm *.0 -v

      printf "creating new hash files \n"
      for i in $(ls *.pem);
      do
              printf "$i \n"
              h=`/opt/novell/openssl/bin/openssl x509 -hash -noout -in $i`
              if [ "$i" !=  "$w" ]; then
                 ln -svf $i $h.0;
                 #echo "$h.0 => $i
              fi
      done
      =======================================================
    • flag the script executable: chmod 755 c_reshash
    • execute the script
    • restart the Access Gateway






Cause

Apache uses certificate hash files which do not get created due to the missing "/opt/novell/ssllib/bin/c_rehash" script