0

I am getting Untrusted Certificate error (Response Code: 401) with Solace Client Certificate Authentication Scheme.

Here are the details over configurations made:
- Created a self-signed server and client certificates in pem format (With Private Keys)
- Uploaded both to Certs folder on solace VMR
- Configured server certificate to be used as Server Certificate on Solace VMR
- Added client certificate to the trusted-root (Configure/authentication) trusted-root
- From the client setting below properties over session object (On top of other required properties):     objSessionProperties.SSLClientCertificateFile
    objSessionProperties.SSLClientPrivateKeyFile
    objSessionProperties.SSLClientPrivateKeyFilePassword

By making above things, I can call Create Session successfully, whereas it leads to an exception while connecting to the session. Here is the error information received from Solace:
{(Subcode=LoginFailure, Error string=Untrusted Certificate, Response code= 401 )}

Thanks for your help in advance.

Thanks.

Shailesh
  • 91
  • 1
  • 1
  • 7

2 Answers2

0

The "Untrusted Certificate" login failure error indicates that the appliance rejected the client because it does not trust the client's certificate provided in "SSLClientCertificateFile". You should verify that the certificate authority (CA) certificate of the CA that signed your client certificate is configured on the appliance as a trusted root certificate.

Alexandra Masse
  • 1,277
  • 1
  • 7
  • 11
  • I am getting this issue with the self signed certificate. I have added the CN name to the SSLTrustedCommonNameList property as well added the client certificate to the trusted-root file on the Solace VMR. Is there any other configuration required here? – Shailesh Mar 08 '18 at 10:32
0

My solution for the client on Java was creating .p12 file as needed for the property SSL Key Store Format (see this page). To get p12 file you can use this
Next step was setup my properties:
keystore-location=/{path}/keyStore.p12, where the path - from the root
keystore-password-location=configuration/fileWithPasswordForP12File.properties to provide password to decode the data from keyStore.p12 file

After this properties took affect you can get 403 error: 403 Client Certificate Authentication is Shutdown
To resolve it you you need to configure the server certificate for every VNP from Solace (see doc) this way:
solace(configure)# message-vpn <vpn-name>
solace(configure/message-vpn)# authentication
solace(configure/message-vpn/authentication)# oauth
solace(...gure/message-vpn/authentication/oauth)# no shutdown

You can verify current user's certificate content from Solace UI:
System->UserMgmt->User Authentication->{select user from Client Certificate Authority Name}->Edit->Change Certificate
This content must match the decoded data in keyStore.p12 and uploaded certificate on solace server from the folder /usr/sw/jail/certs

Evan
  • 31
  • 2