LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

February 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS February 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: SSL Shared Secret broken?
From:	"Rajesh Nair (rajnair)" <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Wed, 1 Feb 2006 11:49:45 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (59 lines)

Cal,

The error message means that the CASs are unable to trust the CAM's
certificate for some reason.  This might be due to an inability to
validate the CAM's SSL certificate chain (ssl cert -> intermediate
(maybe more than one) -> root).

There are two possible solutions here:

1) Create a file which has the CAM's cert and intermediate certs in the
same file (i.e. just one after another) and import that into the CAM as
the CAM's certificate.  Then, what happens is that during the SSL
conversation, the CAM will hand the entire chain in one go to the CAS
and the CAS should be able to validate the CAM's cert. 

2) The other option would be to import the CAM's certificate into the
CAS as a trusted root cert. This will cause the CASs to automatically
trust the CAM's cert. 

HTH,
-Rajesh.

-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Cal Frye
Sent: Wednesday, February 01, 2006 11:43 AM
To: [log in to unmask]
Subject: SSL Shared Secret broken?

OK, I went finally went ahead and installed "real" certificates on each
of 3 CAS and my CAM. It appears I broke the shared secret the CAS were
using to speak to the CAM; after a user authenticates, the error message
is returned:

CAS could not establish a secure connection with [CAM] This could be due
to one of the following reasons: 1) Clean Access Manager certificate has
expired 2) CAM certificate cannot be trusted or 3) CAM cannot be
reached. Please report this to your network administrator.

My certs are from ipsCA, just obtained yesterday. They were issued for
the FQDN for each server. I had to import the intermediate CA
certificate, in addition to the signed cert for each box, but in each
case the combined operation yielded success. And from the Manager, I am
able to connect and manage each of the CAS servers, even following a
reboot. But the error following authentication attempts remains.

My incliniation is to go back into config and recreate the shared
secret, but does anyone here happen to have a different thought? We're
on Winter Term, so our population is slight, but they're returning for
next week's start of semester, so it's becoming urgent... Many thanks in
advance.

--
--Cal Frye, Network Administrator, Oberlin College
   www.calfrye.com, www.pitalabs.com, www.ouuf.org

  "Politics is principally about who decides, who pays and who is held
accountable." -- Ralph Nader.

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU