Skip to Main Content
Forums

Infrastructure Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

SGD 4.50.933 - Active Directory, Windows CA, import chained ca certs

832484Jan 19 2011
Hi all,

First of all, I am using SGD Version 4.50.933

I had to refresh my TLS-certificates because of a domain name change.

I have to SGD-Hosts, which are clustered and both are authenticating users against an Active Directory Domain.

The TLS-Certificates are signed by the internal, AD-integrated CA which runs on Windows 2k8 Servers (probably even R2). The signing CA is a Sub-CA of the Root CA in the AD Domain, so I need to import the whole CA certificate chain into the tarantella certificate store.

Without this import (just the Root-CA is imported), I get an error message:

Title: Error - Secure Global Desktop Client

Cannot connect to the server $name.fqdn:443
Unknown error.

Excerpt from /opt/tarantella/var/log/error.log:
,--
2011/01/20 12:12:46.077 ssl14936 ssldaemon/handshake/incompleteerror
Sun Secure Global Desktop Software (4.5) ERROR:

Client $IP:$PORT has failed to complete an initial SSL connection.
Reported SSL error:
Check the client supports SSL. Web browsers must support JDK 1.1.
Check client for errors. ssldaemon/handshake/incompleteerror
'--

What I already tried:
# tarantella security customca --rootfile my_certs.pem

while my_certs.pem contains a concatenation of the two CA.pem files, the first one is the Sub-CA which signed my TLS-certificates (according to http://secure.accessaims.com/tarantella/help/en-us/tsp/indepth/certs_chaining.html).

But I got an error message:
Error: Could not find the root file - $file.pem

If I try to import the Sub CA I get the openssl error:
error 20 at 0 depth lookup:unable to get local issuer certificate

which means the issuer (the AD Root CA) is not known.

There are known incompatibilies with Windows Server 2k8 CA certificates and Windows 2k3 Server or Windows XP before SP3: http://timjacobs.blogspot.com/2008/04/windows-2008-certificate-authority-and.html

Could this also be a problem with SGD, if it does not support the ciphers?

How can I check the certs for compability?

How do I have to concat the certs to get it work with SGD?

Best Regards
Kai
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Feb 16 2011
Added on Jan 19 2011
#oracle-virtualization, #secure-global-desktop
0 comments
217 views