Policy Server backend CA Directory Session Store over SSL reports error : "SSL3 alert read: fatal: bad certificate"

Document ID : KB000008006
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We are running Policy Server, when this one tries to connect to the backend CA Directory Session Store over SSL, it fails. The CA Directory

Session Store reports error :

 

! [5] Accepting call from TCP 10.22.232.148:13223 

! [0] Accepting call from TCP 10.22.232.148:13225 

! [3] STATE: SSL3 alert read: fatal: bad certificate 

! [3] STATE: SSL_accept: failed in SSLv3 read client certificate A 

? [3] 20170831.115804.432 WARN : SSL Error 

? [3] 20170831.115804.432 WARN : 7fffcc0180c8- 15030300 02022a ......* 

? [3] 20170831.115804.432 WARN : 3:error:14094412:SSL routines:ssl3_read_bytes: 

sslv3 alert bad certificate:s3_pkt.c:1487:SSL alert number 42 

3:error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure:s3_pkt.c:1210: 

? [3] 20170831.115804.432 WARN : ssld_ssl_request failed 

? [3] 20170831.115804.432 WARN : TLS/SSL handshake failed for call from 

10.22.232.148:13223 

? [3] 20170831.115804.433 WARN : comms_recv: Connection reset by peer 

! [3] Call closed 12 

 

How can we solve that ?

Environment:
Policy Server 12.7 on RedHat 7; CA Directory 12.6.02;
Cause:

The same CA Directory server handles 3 instances of LDAP server : 1 Policy Store, 1 Key Store and 1 Session Store. Certificates defined at CA Directory level are self signed certificates, and some have the same serial number which is causing a conflict on the client side (Policy Server)

Resolution:

To solve the issue, you need to sign with a CA the certificate from each instance by doing the following : 

 

• Stop Policy Server

• Stop all CA Directory DSA instances (dxserver stop all)

• Remove all bad certificates (.pem files) in folder <CA-DIR>/ssld/personalities 

• Execute the command dxcergen report to be sure there is no certificate for Policy Store, Key Store and Session Store 

• Create new cert request for each DSA: Policy Store, Key Store, Session Store using the command: dxcertgen -D <dsaname> certreq

• Sign the CSR with the your CA and merge the new certificates

• Start all DSA instances (dxserver start all)

• Start Policy Server and verify the correct connection to Policy Store, Key Store and Session Store