After configuring OneClick for SSL, we are unable to open the OneClick Web page. Looking in the tomcat logs we see the SSL connector initialize and start. There are no errors logged for Tomcat, yet the page fails to open. The only error seen is on the browser side, which is "ERR_BAD_SSL_CLIENT_AUTH_CERT".
The error indicates a problem with the client side certificate, which is by default required, and in most cases the SSL Connector is not configured to use a client side certificate.
There is an option in the SSL Connector that is rarely used, and if enabled is the reason the connector is checking the client side for a certificate. Open the $SPECROOT/tomcat/conf/server.xml file and check the SSL Connector configuration to see if clientAuth="true" is set. If this option is set, then the connector is checking the client side for a valid certificate. Disabling this option will resolve this issue, and allow the client side to connect and open the Web page.
A example of a typical SSL Connector for OneClick is below:
enableLookups="true" disableUploadTimeout="true" tcpNoDelay="true"
acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
The preceding XML fragment is Windows-specific, with 443 as the default port where the OneClick web server listens for SSL communications. End users can omit the port from the URL for accessing the OneClick home page: https://<fully_qualified_host_name>/spectrum.
On a UNIX-based installation, the OneClick web server is not run as root, and the default port is 8443 (because it must be greater than 1024). As a result, end users must specify the port number in the web browser when they enter the URL to access the OneClick home page: https://<fully_qualified_host_name>:8443/spectrum.
Optional Configuration Changes:
- To prevent a client form being able to negotiate tomcat back down to SSLv3 (known as the Poodle Vulnerability) you can add sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" statement to the Connector configuration.
- The Diffie-Hellman Ciphers TLS_DHE_RSA_WITH_AES_128_CBC_SHA, and TLS_DHE_DSS_WITH_AES_128_CBC_SHA are known to cause the secure connection to fail in browsers with enhanced security, such as Firefox and Chrome. To resolve this, remove these ciphers from the Connector configuration.