Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


Skip to end of metadata
Go to start of metadata

For Smart ID Digital Access component (Hybrid Access Gateway) 5.13.3, the Java version which is shipped with the release is updated to 1.8.0 u202. Due to this, Hybrid Access Gateway now supports endpoint identification during secure interactions with the user storage. This allows Hybrid Access Gateway to validate the fully qualified domain name (FQDN) mentioned in Hybrid Access Gateway against the certificate’s FQDN. 

If your certificate is not compliant with these checks you will see the following log messages in the system logs:

 Example: log messages in system logs
Example: log messages
2019-09-11 10:57:00 WARNING "SSL Handshake failed! Certificate problems, 128-160.yourdomain.com:636"
2019-09-11 10:57:00 WARNING "Could not connect to user storage Local on ldaps://128-160.yourdomain.com:636" 
2019-09-11 10:57:00 WARNING "LDAP search failed, javax.naming.CommunicationException,128-160.yourdomain.com:636 base , filter (objectclass=*), scope 0"

For more information, see Java release notes.

Step-by-step instruction

Option 1 - Adapt certificate 

To fix this problem, we recommend that you adapt the certificate:

  1. Make sure that the Common Name (CN) part of your certificate reflects the same FQDN that is configured in Hybrid Access Gateway. 

Option 2 - Disable endpoint identification 

This option is less recommended. 

If you decide that endpoint identification is not of value to your use case, another option is to disable endpoint identification.

To do this, you must add a flag to all the administration, policy and authentication services via the customize.conf file: 

  1. If there is no customize.conf file, you must first create it:

    1. Copy the template file. Type at the prompt:

      Example: Copy template config file
      cp customize-template.conf customize.conf


    2. Change permissions of the file so it can be read by the Authentication service:

      Example: Change permissions
      chown pwuser:pwuser customize.conf
  2. For each of the administration, policy and authentication services: 

    1. Open the configuration file for editing:

      Example: Open configuration file
      /opt/nexus/<servicetype>-service/config/customize.conf


    2. In the section wrapper.java.additional, add the following string: 

      Add flag
      -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

Contact

If you have any questions, contact your Nexus Partner or Nexus' Technical Support at support@nexusgroup.com.


  • No labels