Does anyone know of any way to log the incoming cert details even if webseal rejects the request?

We get questions every day about operation aborted screens detailing "HPDIA0114E Could not acquire a client credential."  Most of the time it is because the user's cert is not imported in correctly, although sometimes it is because the user's account is not valid in the ISVA registry.  However, there is no log of the incoming cert and/or why it was rejected.

Is there any way to log the incoming cert detail even during instances when webseal rejects them?  It would even be great if we could log when the cert fails CRL check or expiration date, etc.

We use the username mapping module, so the only thing I wondered if there was some way to maybe make that log when it fires.  Otherwise, the only other thing I could think is switching to an EAI/InfoMap to accomplish this logging, but that introduces new dependencies on our existing flows.

Just curious if anyone else has managed to capturing incoming cert details when mTLS is used.  Thanks!

------------------------------
Matt
------------------------------

Hi,

There is  the component pd.cas.certmap for tracing or the more general pdweb.cas.general tracing component.  That will show the details depending on the tracing level enabled.   There is also tracing /logging possible at the gskit level , but that requires a whole set of different tools .
Certificate checks /CRL checks

https://www.ibm.com/docs/en/sva/10.0.3?topic=agents-parameters-remote-syslog

https://www.ibm.com/docs/en/sva/10.0.3?topic=webseal-certificate-revocation-lists
The application can then decide the best course of action. You can configure the course of action in WebSEAL by setting the configuration option undetermined-revocation-cert-action in the [ssl] stanza to one of: ignore, log, or reject.

Kind regards,
Serge Vereecke
IBM Security

------------------------------
Serge Vereecke
------------------------------

Original Message:
Sent: Fri February 11, 2022 10:45 AM
From: Matt Jenkins
Subject: mTLS logging incoming cert details

Does anyone know of any way to log the incoming cert details even if webseal rejects the request?

We get questions every day about operation aborted screens detailing "HPDIA0114E Could not acquire a client credential."  Most of the time it is because the user's cert is not imported in correctly, although sometimes it is because the user's account is not valid in the ISVA registry.  However, there is no log of the incoming cert and/or why it was rejected.

Is there any way to log the incoming cert detail even during instances when webseal rejects them?  It would even be great if we could log when the cert fails CRL check or expiration date, etc.

We use the username mapping module, so the only thing I wondered if there was some way to maybe make that log when it fires.  Otherwise, the only other thing I could think is switching to an EAI/InfoMap to accomplish this logging, but that introduces new dependencies on our existing flows.

Just curious if anyone else has managed to capturing incoming cert details when mTLS is used.  Thanks!

------------------------------
Matt
------------------------------

Serge, we don't use the cert mapping module, is that what pd.cas.certmap is for?  We use the user name mapping module.  However, I suppose my biggest question is if it is ok to leave tracing enabled full time on a production system?

We do have the undetermined-revocation-cert-action already setup and all the CRL checks are working.  The biggest headache is not knowing the exact cert that was used to try to authenticate that was not associated with a UID.  The only way we have been able to previously corelate this data is to painstakingly corelate the request and msg logs with the LDAP audit log and we can tell by the LDAP search that was performed for the secUser object.

Thanks for your suggestions, I'll check into the tracing and see if maybe turning it up a bit would gather what we need.  However, I still wonder how safe this is to leave enabled.

------------------------------
Matt Jenkins
------------------------------

Original Message:
Sent: Mon February 14, 2022 05:04 AM
From: Serge Vereecke
Subject: mTLS logging incoming cert details

Hi,

There is  the component pd.cas.certmap for tracing or the more general pdweb.cas.general tracing component.  That will show the details depending on the tracing level enabled.   There is also tracing /logging possible at the gskit level , but that requires a whole set of different tools .
Certificate checks /CRL checks

https://www.ibm.com/docs/en/sva/10.0.3?topic=agents-parameters-remote-syslog

https://www.ibm.com/docs/en/sva/10.0.3?topic=webseal-certificate-revocation-lists
The application can then decide the best course of action. You can configure the course of action in WebSEAL by setting the configuration option undetermined-revocation-cert-action in the [ssl] stanza to one of: ignore, log, or reject.

Kind regards,
Serge Vereecke
IBM Security

------------------------------
Serge Vereecke

Original Message:
Sent: Fri February 11, 2022 10:45 AM
From: Matt Jenkins
Subject: mTLS logging incoming cert details

Does anyone know of any way to log the incoming cert details even if webseal rejects the request?

We get questions every day about operation aborted screens detailing "HPDIA0114E Could not acquire a client credential."  Most of the time it is because the user's cert is not imported in correctly, although sometimes it is because the user's account is not valid in the ISVA registry.  However, there is no log of the incoming cert and/or why it was rejected.

Is there any way to log the incoming cert detail even during instances when webseal rejects them?  It would even be great if we could log when the cert fails CRL check or expiration date, etc.

We use the username mapping module, so the only thing I wondered if there was some way to maybe make that log when it fires.  Otherwise, the only other thing I could think is switching to an EAI/InfoMap to accomplish this logging, but that introduces new dependencies on our existing flows.

Just curious if anyone else has managed to capturing incoming cert details when mTLS is used.  Thanks!

------------------------------
Matt
------------------------------

Matt,

I am a little bit surprised that the same message is shown for both incorrectly validated certificates, and invalid accounts.  The error message which you included above should be the one which is shown when an unknown user is presented, but I would have expected a different error to be shown if the certificate is not accepted by WebSEAL.  The reason for this is that the certificate validation occurs when the user attempts to establish the SSL session with WebSEAL (using GSKit), while the user validation (i.e. mapping of user DN to an Verify Access user) takes place within the username mapping module - when WebSEAL attempts to create a credential.

So, you should be able to use HPDIA0114E to determine that a user account is not valid, and a different message (I don't know which) should be used to indicate that the session could not be established because the certificate is invalid (e.g. CRL check, expiration date, untrusted signer, etc).  Is this not happening?

Anyway, I don't believe that there is currently any way to understand why a certificate has been rejected.

Unfortunately changing to an EAI/InfoMap won't help in this situation because WebSEAL still validates the certificate (during SSL network termination), and won't pass the certificate onto the EAI/InfoMap if it is invalid.

I hope that this helps.



------------------------------
Scott Exton
IBM
Gold Coast
------------------------------

Original Message:
Sent: Fri February 11, 2022 10:45 AM
From: Matt Jenkins
Subject: mTLS logging incoming cert details

Does anyone know of any way to log the incoming cert details even if webseal rejects the request?

We get questions every day about operation aborted screens detailing "HPDIA0114E Could not acquire a client credential."  Most of the time it is because the user's cert is not imported in correctly, although sometimes it is because the user's account is not valid in the ISVA registry.  However, there is no log of the incoming cert and/or why it was rejected.

Is there any way to log the incoming cert detail even during instances when webseal rejects them?  It would even be great if we could log when the cert fails CRL check or expiration date, etc.

We use the username mapping module, so the only thing I wondered if there was some way to maybe make that log when it fires.  Otherwise, the only other thing I could think is switching to an EAI/InfoMap to accomplish this logging, but that introduces new dependencies on our existing flows.

Just curious if anyone else has managed to capturing incoming cert details when mTLS is used.  Thanks!

------------------------------
Matt
------------------------------

Scott, yes a different message does get shown for unknown user versus failed cert.  The failed CRL checks do at least dump in the message log as DPWNS0165E with the subject and issuer DN of the cert.

The one I was primarily concerned with is with HPDIA0114E when an unknown user is presented.  Those we currently have no ability to know what the subject DN of the cert was.  I expect the user name mapping module gets fired on those, but I wasn't sure if that mapping module has any ability to log.

Thanks for your input!

------------------------------
Matt Jenkins
------------------------------

Original Message:
Sent: Mon February 14, 2022 03:23 PM
From: Scott Exton
Subject: mTLS logging incoming cert details

Matt,

I am a little bit surprised that the same message is shown for both incorrectly validated certificates, and invalid accounts.  The error message which you included above should be the one which is shown when an unknown user is presented, but I would have expected a different error to be shown if the certificate is not accepted by WebSEAL.  The reason for this is that the certificate validation occurs when the user attempts to establish the SSL session with WebSEAL (using GSKit), while the user validation (i.e. mapping of user DN to an Verify Access user) takes place within the username mapping module - when WebSEAL attempts to create a credential.

So, you should be able to use HPDIA0114E to determine that a user account is not valid, and a different message (I don't know which) should be used to indicate that the session could not be established because the certificate is invalid (e.g. CRL check, expiration date, untrusted signer, etc).  Is this not happening?

Anyway, I don't believe that there is currently any way to understand why a certificate has been rejected.

Unfortunately changing to an EAI/InfoMap won't help in this situation because WebSEAL still validates the certificate (during SSL network termination), and won't pass the certificate onto the EAI/InfoMap if it is invalid.

I hope that this helps.



------------------------------
Scott Exton
IBM
Gold Coast

Original Message:
Sent: Fri February 11, 2022 10:45 AM
From: Matt Jenkins
Subject: mTLS logging incoming cert details

Does anyone know of any way to log the incoming cert details even if webseal rejects the request?

We get questions every day about operation aborted screens detailing "HPDIA0114E Could not acquire a client credential."  Most of the time it is because the user's cert is not imported in correctly, although sometimes it is because the user's account is not valid in the ISVA registry.  However, there is no log of the incoming cert and/or why it was rejected.

Is there any way to log the incoming cert detail even during instances when webseal rejects them?  It would even be great if we could log when the cert fails CRL check or expiration date, etc.

We use the username mapping module, so the only thing I wondered if there was some way to maybe make that log when it fires.  Otherwise, the only other thing I could think is switching to an EAI/InfoMap to accomplish this logging, but that introduces new dependencies on our existing flows.

Just curious if anyone else has managed to capturing incoming cert details when mTLS is used.  Thanks!

------------------------------
Matt
------------------------------

Original Message:
Sent: 2/14/2022 3:49:00 PM
From: Matt Jenkins
Subject: RE: mTLS logging incoming cert details

Scott, yes a different message does get shown for unknown user versus failed cert.  The failed CRL checks do at least dump in the message log as DPWNS0165E with the subject and issuer DN of the cert.

The one I was primarily concerned with is with HPDIA0114E when an unknown user is presented.  Those we currently have no ability to know what the subject DN of the cert was.  I expect the user name mapping module gets fired on those, but I wasn't sure if that mapping module has any ability to log.

Thanks for your input!

------------------------------
Matt Jenkins
------------------------------

Original Message:
Sent: Mon February 14, 2022 03:23 PM
From: Scott Exton
Subject: mTLS logging incoming cert details

Matt,

I am a little bit surprised that the same message is shown for both incorrectly validated certificates, and invalid accounts.  The error message which you included above should be the one which is shown when an unknown user is presented, but I would have expected a different error to be shown if the certificate is not accepted by WebSEAL.  The reason for this is that the certificate validation occurs when the user attempts to establish the SSL session with WebSEAL (using GSKit), while the user validation (i.e. mapping of user DN to an Verify Access user) takes place within the username mapping module - when WebSEAL attempts to create a credential.

So, you should be able to use HPDIA0114E to determine that a user account is not valid, and a different message (I don't know which) should be used to indicate that the session could not be established because the certificate is invalid (e.g. CRL check, expiration date, untrusted signer, etc).  Is this not happening?

Anyway, I don't believe that there is currently any way to understand why a certificate has been rejected.

Unfortunately changing to an EAI/InfoMap won't help in this situation because WebSEAL still validates the certificate (during SSL network termination), and won't pass the certificate onto the EAI/InfoMap if it is invalid.

I hope that this helps.



------------------------------
Scott Exton
IBM
Gold Coast

Original Message:
Sent: Fri February 11, 2022 10:45 AM
From: Matt Jenkins
Subject: mTLS logging incoming cert details

Does anyone know of any way to log the incoming cert details even if webseal rejects the request?

We get questions every day about operation aborted screens detailing "HPDIA0114E Could not acquire a client credential."  Most of the time it is because the user's cert is not imported in correctly, although sometimes it is because the user's account is not valid in the ISVA registry.  However, there is no log of the incoming cert and/or why it was rejected.

Is there any way to log the incoming cert detail even during instances when webseal rejects them?  It would even be great if we could log when the cert fails CRL check or expiration date, etc.

We use the username mapping module, so the only thing I wondered if there was some way to maybe make that log when it fires.  Otherwise, the only other thing I could think is switching to an EAI/InfoMap to accomplish this logging, but that introduces new dependencies on our existing flows.

Just curious if anyone else has managed to capturing incoming cert details when mTLS is used.  Thanks!

------------------------------
Matt
------------------------------