For Cluster Mode NetApp FPolicy server-auth mode failing when using third party CA signed certificates.
Fpolicy server is getting "tlsv1 alert unknown ca" error while doing SSL handshaking with FPolicy client.
We have installed public certificate of certificate authority (CA) that is used to sign the FPolicy server certificate on SVM using following command: > security certificate install -type client-ca -vserver <vserver name>
Configured external-engine in FPolicy to enable server-auth mode:
Vserver: <vserver name> Engine: <engine name> Primary FPolicy Servers: <server ip> Port Number of FPolicy Service: <server port number> Secondary FPolicy Servers: - External Engine Type: asynchronous SSL Option for External Communication: server-auth FQDN or Custom Common Name: - Serial Number of Certificate: - Certificate Authority: - Is Resiliency Feature Enabled: false Maximum Notification Retention Duration: 3m Directory for Notification Storage: -
In FPolicy server we are using certificate file to initialize SSL server in following format:
The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA. We are also using certificate's key file for initialize SSL server.
Now when we got FPolicy client connection in FPolicy server we are trying to do SSL handshaking and getting following error and SSL handshake failed: "error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca".
Note: we are using OpenSSL library API for SSL handshaking.
Also, same issue produces when we use OpenSSL server tool as FPolicy Server.
Our Fpolicy Server can handshake and have the cert chain validated with the OpenSSL client tool. NetApp SVM doesn't work with an OpenSSL server tool using the same certs.
Does anybody let us know where we are going wrong, what are the correct steps for FPolicy SSL communication using third party CA signed certificate. How to resolve this error/issue?
server-auth : When set to server-auth, only the FPolicy server is authenticated by the Vserver. With this option, before creating the FPolicy external engine, the administrator must install the public certificate of the certificate authority (CA) that signed the FPolicy server certificate.
The public certificate of certificate authority (CA) that is used to sign the FPolicy server certificate is installed using the security certificate install command with -type set toclient_ca.