Mutual Ssl With X.509 Produces Untrusted Chain Messages; Certificate Command Failure; Can't Log In With Certificate Error Messages; Section B.2, "Mutual Ssl With X.509 Produces Untrusted Chain Messages - Novell ACCESS MANAGER 3.1 SP1 - ADMINISTRATION Manual

Administration console guide

Hide thumbs Also See for ACCESS MANAGER 3.1 SP1 - ADMINISTRATION:

Manual (208 pages)

Installation manual (42 pages)

Quick start manual (24 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

Table of Contents

8 Click Next > Finish.

9 Use this P7B file to import your server certificate into Access Manager.

B.2 Mutual SSL with X.509 Produces Untrusted

Chain Messages

When you set up an X.509 contract for mutual SSL authentication, you must ensure that the Identity

Server trust store (NIDP-truststore) contains the trusted root from each CA that has signed the client

certificates. If a client has a certificate signed by a CA that is not in the NIDP-truststore,

authentication fails.

To add a certificate to the NIDP-truststore:

1 In the Administration Console, click Security > Certificates > Trusted Roots > NIDP-truststore.

2 Click either Add or Auto-Import From Server and follow the prompts.

B.3 Certificate Command Failure

Certificate commands are generated when you upgrade the Administration Console, and you should

ensure that they have completed successfully (click Access Manager > Certificates > Command

Status).

If a certificate command fails:

1 Note the destination trust store or keystore

2 Click Auditing > Troubleshooting > Certificates.

3 Select the store, then click Re-push certificates.

This pushes all assigned certificates to the store. You can re-push certificates multiple times

without causing any problems.

B.4 Can't Log In with Certificate Error Messages

After an upgrade if your users can't log in to access protected resources, and the failure messages

contain certificate error messages, you might need to manually push the certificates from the

Administration Console to the Access Gateway.

To re-push a certificate:

For a reverse proxy certificate, go to the Reverse Proxy page, select a different certificate, click

OK, return to the Reverse Proxy page, select the correct certificate, then click OK.

For a Web server certificate, go to the Web Server page, select a different SSL mutual

certificate, click OK, return to the Web Server page, select the correct certificate, click OK, then

apply the changes.

Troubleshooting Certificate Issues 113

Table of Contents

Chapters

Table of Contents

Mutual Ssl With X.509 Produces Untrusted Chain Messages; Certificate Command Failure; Can't Log In With Certificate Error Messages; Section B.2, "Mutual Ssl With X.509 Produces Untrusted Chain Messages - Novell ACCESS MANAGER 3.1 SP1 - ADMINISTRATION Manual

Chapters

Troubleshooting

Related Manuals for Novell ACCESS MANAGER 3.1 SP1 - ADMINISTRATION

Related Content for Novell ACCESS MANAGER 3.1 SP1 - ADMINISTRATION

Table of Contents