CLEANACCESS Archives

February 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: SSL Shared Secret broken?
From:
Ryan Dorman <[log in to unmask]>
Reply To:
Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:
Thu, 2 Feb 2006 09:01:58 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (119 lines) 
Cal et al.

    I also have IPS CA certs on my CCA boxen.  Have you found that sometimes
for no good reasons IE just doesn't' seem to trust the root authority.  It
seems that on 90% of computers, it works just fine.  Then here and there it
will give untrusted publisher warnings and the like.  Same up to date
versions of IE.  Haven't seen the issue with Firefox yet. Any clues?
-- 
Ryan Dorman, CCNP
Network Engineering Specialist
Millersville University
717.871.5883





On 2/1/06 7:38 PM, "Rajesh Nair (rajnair)" <[log in to unmask]> wrote:

> The latest 3.5 docs do have more information regarding this.  Also, the
> latest 3.5 interface for certs is better.  And the 3.6 interface for
> certs is a lot better.
> 
> For the latest docs :
> http://www.cisco.com/en/US/products/ps6128/products_user_guide_list.html
> 
> -Rajesh. 
> 
> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List
> [mailto:[log in to unmask]] On Behalf Of Cal Frye
> Sent: Wednesday, February 01, 2006 12:10 PM
> To: [log in to unmask]
> Subject: Re: SSL Shared Secret broken?
> 
> Ah, option (2), Trust a non-standard CA using the CAM's certificate did
> the trick. I will try the first option on my still-in-testing box.
> Thanks for the quick reply -- I needed it this time!
> 
> The IPS-Securadores root cert does appear in all the browsers I've
> tested so far, so at least that part is satisfied. Thanks again for the
> pointer to this one -- it's not that clear from the documents I have at
> hand (Version 3.5.4 in production, docs are from 3.5.3, it would
> appear.) Hopefully this is fixed in the newer documents.
> 
> --Cal Frye, Network Administrator, Oberlin College
>    www.calfrye.com, www.pitalabs.com, www.ouuf.org
> 
>   "If you must choose between two evils, pick the one you've never tried
> before."
> 
> 
> Rajesh Nair (rajnair) wrote:
>> Cal,
>> 
>> The error message means that the CASs are unable to trust the CAM's
>> certificate for some reason.  This might be due to an inability to
>> validate the CAM's SSL certificate chain (ssl cert -> intermediate
>> (maybe more than one) -> root).
>> 
>> There are two possible solutions here:
>> 
>> 1) Create a file which has the CAM's cert and intermediate certs in
>> the same file (i.e. just one after another) and import that into the
>> CAM as the CAM's certificate.  Then, what happens is that during the
>> SSL conversation, the CAM will hand the entire chain in one go to the
>> CAS and the CAS should be able to validate the CAM's cert.
>> 
>> 2) The other option would be to import the CAM's certificate into the
>> CAS as a trusted root cert. This will cause the CASs to automatically
>> trust the CAM's cert.
>> 
>> HTH,
>> -Rajesh.
>> 
>> -----Original Message-----
>> From: Perfigo SecureSmart and CleanMachines Discussion List
>> [mailto:[log in to unmask]] On Behalf Of Cal Frye
>> Sent: Wednesday, February 01, 2006 11:43 AM
>> To: [log in to unmask]
>> Subject: SSL Shared Secret broken?
>> 
>> OK, I went finally went ahead and installed "real" certificates on
>> each of 3 CAS and my CAM. It appears I broke the shared secret the CAS
> 
>> were using to speak to the CAM; after a user authenticates, the error
>> message is returned:
>> 
>> CAS could not establish a secure connection with [CAM] This could be
>> due to one of the following reasons: 1) Clean Access Manager
>> certificate has expired 2) CAM certificate cannot be trusted or 3) CAM
> 
>> cannot be reached. Please report this to your network administrator.
>> 
>> My certs are from ipsCA, just obtained yesterday. They were issued for
> 
>> the FQDN for each server. I had to import the intermediate CA
>> certificate, in addition to the signed cert for each box, but in each
>> case the combined operation yielded success. And from the Manager, I
>> am able to connect and manage each of the CAS servers, even following
>> a reboot. But the error following authentication attempts remains.
>> 
>> My incliniation is to go back into config and recreate the shared
>> secret, but does anyone here happen to have a different thought? We're
> 
>> on Winter Term, so our population is slight, but they're returning for
> 
>> next week's start of semester, so it's becoming urgent... Many thanks
>> in advance.
>> 
>> --
>> --Cal Frye, Network Administrator, Oberlin College
>>    www.calfrye.com, www.pitalabs.com, www.ouuf.org
>> 
>>   "Politics is principally about who decides, who pays and who is held
> 
>> accountable." -- Ralph Nader.
>>

ATOM RSS1 RSS2