Hi Javier,
The root certificate that allows trust in the server certificate presented by ISVA (Reverse Proxy) needs to be provided in IAG configuration.
When I set this up I mounted it to the IAG filesystem and referenced it:
identity:
oidc:
response_type: id_token
scopes:
- email
- profile
- AZN_CRED_GROUPS
discovery_endpoint: $ISVA_DISCOVERY_ENDPOINT
client_id: $OIDC_CLIENT_ID
client_secret: $OIDC_CLIENT_SECRET
ssl:
certificate:
- "@env_files/webseal.cer"
Alternatively, you could use the format:
certificate: B64:<base-64-encoded-file>
Note that in this method the entire certificate file (----BEGIN CERTIFICATE--- etc.) is base64-encoded *again* before being pasted inline here.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Mon October 25, 2021 08:56 AM
From: Javier Garcia Pazos
Subject: IBM IAG not working after IDP certificate update
Hello Jon
To your last question, yes I can connect using openssl s_client connect "my.domain.com". I am sorry because I don't use my real domain, but I can't.
"my.domain.com" is the SVA OIDC domain. How can I load the CA cert file in IAG? I have both the bundle and the intermediate.
Thank you so much for your help.
Regards
------------------------------
Javier Garcia Pazos
Original Message:
Sent: Mon October 25, 2021 08:48 AM
From: Jon Harry
Subject: IBM IAG not working after IDP certificate update
Javier,
I also note that 0x19e implies a bad certificate from the partner.
Are you able to connect to my.domain.com:443 with OpenSSL to check that the certificate is being presented correctly?
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Mon October 25, 2021 08:41 AM
From: Jon Harry
Subject: IBM IAG not working after IDP certificate update
Hi Javier,
What is my.domain.com:443? Is that a backend server you are junctioned to (as a resource server) or is it your Verify tenant?
If that is your Verify tenant, make sure that root certificate that signs the HTTPS endpoint of your Verify tenant is being loaded in your IAG configuration. This certificate validates the metadata and JWKS endpoints which then download the configuration and token signing certificates required for the rest of the connection.
If this is a junctioned resource server, make sure that you're loading the root certificate that signs the server certificate of the resource server.
In both cases, you must have the root certificate loaded. If you load a server certificate or intermediate certificate but miss the root, you will likely get GSKIT errors.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Mon October 25, 2021 07:11 AM
From: Javier Garcia Pazos
Subject: IBM IAG not working after IDP certificate update
Hello,
we are using IBM IAG in a Kubernetes Cluster and IBM SVA as de IDP using OpenID Connect. Today I updated the certificate and now it is not working. I changed the certificate from Thawtee to Sectigo. In SSLHopper I can see that the full chain of the old certificate was composed of 3 certificates and now it is only of 2.
These are the logs of the IAG:
2021-10-25-11:04:34.546+00:00I----- 0x38AD54CC iag WARNING wiv ssl SSLConnection.cpp 2470 0x7f0b57f7d700DPWIV1228W IAG could not establish a secure connection to the server, my.domain.com, for the default junction (Function call: gsk_secure_soc_init; failed error: 0x19e GSK_ERROR_BAD_CERT).2021-10-25-11:04:34.546+00:00I----- 0x38983425 iag ERROR wad general AMWJsonClient.cpp 704 0x7f0b57f7d700DPWAD1061E Failed to connect to the server: my.domain.com:443.2021-10-25-11:04:35.011+00:00I----- 0x38AD54CC iag WARNING wiv ssl SSLConnection.cpp 2470 0x7f0b57e79700DPWIV1228W IAG could not establish a secure connection to the server, my.domain.com, for the default junction (Function call: gsk_secure_soc_init; failed error: 0x19e GSK_ERROR_BAD_CERT).2021-10-25-11:04:35.011+00:00I----- 0x38983425 iag ERROR wad general AMWJsonClient.cpp 704 0x7f0b57e79700DPWAD1061E Failed to connect to the server: my.domain.com:443.2021-10-25-11:04:35.539+00:00I----- 0x38AD54CC iag WARNING wiv ssl SSLConnection.cpp 2470 0x7f0b57e38700DPWIV1228W IAG could not establish a secure connection to the server, my.domain.com, for the default junction (Function call: gsk_secure_soc_init; failed error: 0x19e GSK_ERROR_BAD_CERT).2021-10-25-11:04:35.539+00:00I----- 0x38983425 iag ERROR wad general AMWJsonClient.cpp 704 0x7f0b57e38700DPWAD1061E Failed to connect to the server: my.domain.com:443.10.201.16.48 - unauthenticated 25/Oct/2021:11:04:34 +0000 "GET /pkmsoidc?state=667bed92-ff80-3c61-80a7-ef8656d2d4f0&code=xxxxxxxxxxx HTTP/1.1" 302 415710.201.16.48 - unauthenticated 25/Oct/2021:11:04:34 +0000 "GET /pkmsoidc?iss=default&TAM_OP=login HTTP/1.1" 302 437910.201.16.48 - unauthenticated 25/Oct/2021:11:04:34 +0000 "GET /pkmsoidc?state=667bed92-ff80-3c61-80a7-ef8656d2d4f0&code=xxxxxxxxxxx HTTP/1.1" 302 415710.201.16.48 - unauthenticated 25/Oct/2021:11:04:35 +0000 "GET /pkmsoidc?iss=default&TAM_OP=login HTTP/1.1" 302 43792021-10-25-11:04:35.971+00:00I----- 0x38AD54CC iag WARNING wiv ssl SSLConnection.cpp 2470 0x7f0b57cf3700DPWIV1228W IAG could not establish a secure connection to the server, my.domain.com, for the default junction (Function call: gsk_secure_soc_init; failed error: 0x19e GSK_ERROR_BAD_CERT).2021-10-25-11:04:35.971+00:00I----- 0x38983425 iag ERROR wad general AMWJsonClient.cpp 704 0x7f0b57cf3700DPWAD1061E Failed to connect to the server: my.domain.com:443.2021-10-25-11:04:36.358+00:00I----- 0x38AD54CC iag WARNING wiv ssl SSLConnection.cpp 2470 0x7f0b57d34700DPWIV1228W IAG could not establish a secure connection to the server, my.domain.com, for the default junction (Function call: gsk_secure_soc_init; failed error: 0x19e GSK_ERROR_BAD_CERT).2021-10-25-11:04:36.358+00:00I----- 0x38983425 iag ERROR wad general AMWJsonClient.cpp 704 0x7f0b57d34700DPWAD1061E Failed to connect to the server: my.domain.com:443.
Can you help me?
Regards
------------------------------
Javier Garcia Pazos
------------------------------