IBM Security Verify

 View Only

  • 1.  IAG: could not establish a secure connection to the server

    Posted Mon January 25, 2021 06:22 AM
    Edited by Øyvind Bergerud Mon January 25, 2021 06:52 AM
    Hi,

    We recently started with IAG in kubernetes and struggle with what looks like self signed certificates on our internal IDP IBM Security Verify Access. We have tried to add these certificates under identity: ssl.
    We get the following error: 
    2021-01-25-11:07:34.055+00:00I----- 0x38AD54CC iag WARNING wiv ssl SSLConnection.cpp 2460 0x7fdd6affd700DPWIV1228W IAG could not establish a secure connection to the server, #####, for the default junction (Function call: gsk_secure_soc_init; failed error: 0x19e GSK_ERROR_BAD_CERT).
    2021-01-25-11:07:34.055+00:00I----- 0x38983425 iag ERROR wad general AMWJsonClient.cpp 696 0x7fdd6affd700
    DPWAD1061E Failed to connect to the server: #####:443.


    When i log into the instance and verify the certificate with openssl, it seems to be valid: 
    ➜ kubectl exec --stdin --tty iag-instance-ff695fdb7-f87kr -- /bin/bash
    [ivmgr@iag-instance-ff695fdb7-f87kr /]$ cd /var/iag/config/
    openssl s_client -CAfile root.pem <access manager>:443
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 4516 bytes and written 453 bytes
    Verification: OK


    We have the following config as configmap: 
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: test-config
    data:
     config.yaml: |
       version: "20.12"
       server:
        ssl:
         front_end:
     identity:
       oidc:
        discovery_endpoint: "https://<access manager>/.well-known/openid-configuration"
        client_id: ""
        client_secret: ""
       ssl:
        certificate:
         - "@root.pem"
         - "@intermediate-ca.pem"
      root.pem: |
        -----BEGIN CERTIFICATE-----
        -----END CERTIFICATE-----
      intermediate-ca.pem: |
        -----BEGIN CERTIFICATE-----
        -----END CERTIFICATE-----


    ------------------------------
    Øyvind Bergerud
    ------------------------------


  • 2.  RE: IAG: could not establish a secure connection to the server

    Posted Mon January 25, 2021 06:59 AM
    Edited by Joao Goncalves Mon January 25, 2021 07:00 AM
    Usually it is caused by mishandling of the Certificates.
    Are you sure you have the chain of CA certificates required for accepting the certificates?

    Are you using the correct keystore file?

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------

    Original Message


  • 3.  RE: IAG: could not establish a secure connection to the server

    Posted Mon January 25, 2021 07:08 AM

    My assumption was that keystore is added under the config stanza? Or have we misunderstood?
       ssl:
        certificate:
         - "@root.pem"
         - "@intermediate-ca.pem


    ------------------------------
    Øyvind Bergerud
    ------------------------------

    Original Message


  • 4.  RE: IAG: could not establish a secure connection to the server

    Posted Mon January 25, 2021 07:22 AM
    Øyvind,

    If you use the "@<file>" syntax in the YAML, the IAG will expect to find this file on its local filesystem (as part of an image layer or as a mounted filesystem/secret).

    If you want to load a file directly into the YAML then you need to use the syntax:

    "b64:<base64 file>"

    Where <base64 file> is base64-encoded version of the file.  So, you need to base64 encode your certificate file (even though it is mostly base64 encoded already) and paste the result after the b64: prefix.

    See "Special  Types" here: https://iamdevportal.us-east.mybluemix.net/iag/concepts/configuration

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 5.  RE: IAG: could not establish a secure connection to the server

    Posted Mon June 21, 2021 06:29 AM
    Edited by Øyvind Bergerud Mon June 21, 2021 06:54 AM
    Hi,

    Old post, but still the same problem.
    I've tried these combinations:

    * Prebake the container with SSL certs.
    * Mounting configmap as a directory.
    * Loading individual certs in the chain.
    * Loading a ca bundle
    * loading the cert from $ENV variable from configmap (ConfigurationConfiguration)

    We have switched to a public CA (buypass), but still experience the same problem.
    What else can be wrong? Is there any aditional debug functionality?


    ------------------------------
    Øyvind Bergerud
    ------------------------------

    Original Message


  • 6.  RE: IAG: could not establish a secure connection to the server

    Posted Mon June 21, 2021 07:34 AM
    Hi Øyvind,

    Since the original posts on this subject, I have set up IAG integration with Verify Access myself.
    Comparing the configuration you are using with what I have, it looks like your "ssl" object in YAML is indented incorrectly.
    I have it under the "oidc" object but you have it as a peer.

    My config looks like this:

     
    identity:
  oidc:
    response_type: id_token
    scopes:
     - email
     - profile
     - AZN_CRED_GROUPS
    discovery_endpoint: $OIDC_DISCOVERY_ENDPOINT
    client_id: $OIDC_CLIENT_ID
    client_secret: $S_OIDC_CLIENT_SECRET
    ssl:
      certificate:
        - "@env_files/webseal.cer"




    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 7.  RE: IAG: could not establish a secure connection to the server

    Posted Mon June 21, 2021 07:46 AM
    Thanks alot, that solved the problem with SSL :)
    It was exactly the problem.

    ------------------------------
    Øyvind Bergerud
    ------------------------------

    Original Message