IBM Security Verify

  • 1.  IBM IAG not working after IDP certificate update

    Posted Mon October 25, 2021 07:12 AM

    Hello,

    we are using IBM IAG in a Kubernetes Cluster and IBM SVA as de IDP using OpenID Connect. Today I updated the certificate and now it is not working. I changed the certificate from Thawtee to Sectigo. In SSLHopper I can see that the full chain of the old certificate was composed of 3 certificates and now it is only of 2.

    These are the logs of the IAG:

    2021-10-25-11:04:34.546+00:00I----- 0x38AD54CC iag WARNING wiv ssl SSLConnection.cpp 2470 0x7f0b57f7d700
    DPWIV1228W   IAG could not establish a secure connection to the server, my.domain.com, for the default junction (Function call: gsk_secure_soc_init; failed error: 0x19e GSK_ERROR_BAD_CERT).
    2021-10-25-11:04:34.546+00:00I----- 0x38983425 iag ERROR wad general AMWJsonClient.cpp 704 0x7f0b57f7d700
    DPWAD1061E   Failed to connect to the server: my.domain.com:443.
    2021-10-25-11:04:35.011+00:00I----- 0x38AD54CC iag WARNING wiv ssl SSLConnection.cpp 2470 0x7f0b57e79700
    DPWIV1228W   IAG could not establish a secure connection to the server, my.domain.com, for the default junction (Function call: gsk_secure_soc_init; failed error: 0x19e GSK_ERROR_BAD_CERT).
    2021-10-25-11:04:35.011+00:00I----- 0x38983425 iag ERROR wad general AMWJsonClient.cpp 704 0x7f0b57e79700
    DPWAD1061E   Failed to connect to the server: my.domain.com:443.
    2021-10-25-11:04:35.539+00:00I----- 0x38AD54CC iag WARNING wiv ssl SSLConnection.cpp 2470 0x7f0b57e38700
    DPWIV1228W   IAG could not establish a secure connection to the server, my.domain.com, for the default junction (Function call: gsk_secure_soc_init; failed error: 0x19e GSK_ERROR_BAD_CERT).
    2021-10-25-11:04:35.539+00:00I----- 0x38983425 iag ERROR wad general AMWJsonClient.cpp 704 0x7f0b57e38700
    DPWAD1061E   Failed to connect to the server: my.domain.com:443.
    10.201.16.48 - unauthenticated 25/Oct/2021:11:04:34 +0000 "GET /pkmsoidc?state=667bed92-ff80-3c61-80a7-ef8656d2d4f0&code=xxxxxxxxxxx HTTP/1.1" 302 4157
    10.201.16.48 - unauthenticated 25/Oct/2021:11:04:34 +0000 "GET /pkmsoidc?iss=default&TAM_OP=login HTTP/1.1" 302 4379
    10.201.16.48 - unauthenticated 25/Oct/2021:11:04:34 +0000 "GET /pkmsoidc?state=667bed92-ff80-3c61-80a7-ef8656d2d4f0&code=xxxxxxxxxxx HTTP/1.1" 302 4157
    10.201.16.48 - unauthenticated 25/Oct/2021:11:04:35 +0000 "GET /pkmsoidc?iss=default&TAM_OP=login HTTP/1.1" 302 4379
    2021-10-25-11:04:35.971+00:00I----- 0x38AD54CC iag WARNING wiv ssl SSLConnection.cpp 2470 0x7f0b57cf3700
    DPWIV1228W   IAG could not establish a secure connection to the server, my.domain.com, for the default junction (Function call: gsk_secure_soc_init; failed error: 0x19e GSK_ERROR_BAD_CERT).
    2021-10-25-11:04:35.971+00:00I----- 0x38983425 iag ERROR wad general AMWJsonClient.cpp 704 0x7f0b57cf3700
    DPWAD1061E   Failed to connect to the server: my.domain.com:443.
    2021-10-25-11:04:36.358+00:00I----- 0x38AD54CC iag WARNING wiv ssl SSLConnection.cpp 2470 0x7f0b57d34700
    DPWIV1228W   IAG could not establish a secure connection to the server, my.domain.com, for the default junction (Function call: gsk_secure_soc_init; failed error: 0x19e GSK_ERROR_BAD_CERT).
    2021-10-25-11:04:36.358+00:00I----- 0x38983425 iag ERROR wad general AMWJsonClient.cpp 704 0x7f0b57d34700
    DPWAD1061E   Failed to connect to the server: my.domain.com:443.​

    Can you help me?

    Regards

    ------------------------------
    Javier Garcia Pazos
    ------------------------------


  • 2.  RE: IBM IAG not working after IDP certificate update

    Posted Mon October 25, 2021 08:41 AM
    Hi Javier,

    What is my.domain.com:443?  Is that a backend server you are junctioned to (as a resource server) or is it your Verify tenant?

    If that is your Verify tenant, make sure that root certificate that signs the HTTPS endpoint of your Verify tenant is being loaded in your IAG configuration.  This certificate validates the metadata and JWKS endpoints which then download the configuration and token signing certificates required for the rest of the connection.

    If this is a junctioned resource server, make sure that you're loading the root certificate that signs the server certificate of the resource server.

    In both cases, you must have the root certificate loaded.  If you load a server certificate or intermediate certificate but miss the root, you will likely get GSKIT errors.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: IBM IAG not working after IDP certificate update

    Posted Mon October 25, 2021 08:49 AM
    Javier,

    I also note that 0x19e implies a bad certificate from the partner.

    Are you able to connect to my.domain.com:443 with OpenSSL to check that the certificate is being presented correctly?

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 4.  RE: IBM IAG not working after IDP certificate update

    Posted Mon October 25, 2021 08:56 AM
    Hello Jon

    To your last question, yes I can connect using openssl s_client connect "my.domain.com". I am sorry because I don't use my real domain, but I can't.

    "my.domain.com" is the SVA OIDC domain. How can I load the CA cert file in IAG? I have both the bundle and the intermediate.

    Thank you so much for your help.

    Regards

    ------------------------------
    Javier Garcia Pazos
    ------------------------------



  • 5.  RE: IBM IAG not working after IDP certificate update

    Posted Mon October 25, 2021 11:13 AM
    Hi Javier,

    The root certificate that allows trust in the server certificate presented by ISVA (Reverse Proxy) needs to be provided in IAG configuration.
    When I set this up I mounted it to the IAG filesystem and referenced it:

    identity:
      oidc:
        response_type: id_token
        scopes:
         - email
         - profile
         - AZN_CRED_GROUPS
        discovery_endpoint: $ISVA_DISCOVERY_ENDPOINT
        client_id: $OIDC_CLIENT_ID
        client_secret: $OIDC_CLIENT_SECRET
        ssl:
          certificate:
            - "@env_files/webseal.cer"
    

    Alternatively, you could use the format:

    certificate: B64:<base-64-encoded-file>
    Note that in this method the entire certificate file (----BEGIN CERTIFICATE--- etc.) is base64-encoded *again* before being pasted inline here.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------