This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Failing to access IDR Web resources with certificate chain not verified symptoms

Article Number

000068078

Issue

The IDR web resource are not accessible and client requests are failing with certificate chain not verified symptoms, similar to following based on client used.
  
Caused by: javax.net.ssl.SSLException: Certificate not verified.
at com.rsa.sslj.x.aI.b(Unknown Source)
at com.rsa.sslj.x.aI.a(Unknown Source)
at com.rsa.sslj.x.aI.a(Unknown Source)
at com.rsa.sslj.x.aK.unwrap(Unknown Source)
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1372)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267)
... 33 more
Caused by: com.rsa.sslj.x.aL: Certificate not verified.
at com.rsa.sslj.x.bm.a(Unknown Source)
at com.rsa.sslj.x.bm.a(Unknown Source)
at com.rsa.sslj.x.bm.a(Unknown Source)
... 39 more
Caused by: java.security.cert.CertificateException: the certificate chain is not trusted, Could not validate path.
at com.rsa.sslj.x.cq.a(Unknown Source)
at com.rsa.sslj.x.cq.checkServerTrusted(Unknown Source)
at com.rsa.sslj.x.cq.checkServerTrusted(Unknown Source)
at com.rsa.sslj.x.aF.a(Unknown Source)

 

Cause

IDR v2.17 uses mod_ssl which relies on Admin to upload the certificate chain in ordered manner in Admin console -> Company Settings page.

If the uploaded chain is not ordered properly from leaf issuer to desired issue or upto root certificate authority, the clients having strict validation will fail to establish SSL connection, leading to inaccessible web resource.

 

Resolution

Resolution/Workaround:
1. To find if the order is wrong, please access IDR Portal or setup page or use openssl s_client connect tool. Verify the certificate chain returned is ordered properly.
2. If not so, reorder the chain in any text editor. Starts with the issuing CA certificate of the server certificate and keep appending its issuer till desired intermediate issuer or you reach upto the root CA certificate.
3. Upload it in Admin console and Publish.
4. After publishing re-verify the cert chain by following step#1.

Workaround

Reconnect the AM with CAS via Security Console and disable the old legacy option via the Operations Console
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2023-02-16 09:13 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.