IBM Support

IBM Secure Gateway unable to connect due to error UNABLE_TO_VERIFY_LEAF_SIGNATURE

Troubleshooting


Problem

IBM Secure Gateway has been installed and configured. Gateway ID and Security Token are valid but the SG client will not start up successfully.

Symptom

Secure Gateway logs have captured the following error:
The Secure Gateway client will fetch its configuration from https://sgmanagertm1ams.integration.ibmcloud.com/sgconfig/qecQxXVoAmh_tm1ams_dedicated
The ACL file provided during startup will not be imported until a connection has been established to your gateway.
The response is code: UNABLE_TO_VERIFY_LEAF_SIGNATURE, message: unable to verify the first certificate
Process exiting without errors due to user or server request

Cause

There is either a proxy or a firewall on the client side querying the outbound request to the Cloud. It has inserted itself into the IBM Certificate chain rendering it invalid.

Environment

IBM Planning Analytics on Cloud
IBM Secure Gateway

Diagnosing The Problem

To diagnose the problem, a Wireshark trace was obtained. 
Note, the IPs and client certificates have been removed for security reasons
WireShark trace:

We see the secure gateway client reaching out to the tunnel server:
6806    36.857160    ClientIP    ServerIP    TLSv1.2    335    Client Hello
 
Then we see the tunnel server replying:
6866    37.276965    ServerIP    ClientIP    TLSv1.2    1404    Server Hello
 
Next we see an exchange of cert/key:
6868    37.276966    Server
IP    ClientIP    TLSv1.2    1206    Certificate, Server Key Exchange, Server Hello Done
 
Within this packet, we can see the certificate chain:
Certificate: 30820c5c30820b44a003020102020869f90dd67681e09130... (id-at-commonName=*.securegateway.appdomain.cloud,id-at-organizationalUnitName=IBM Cloud,id-at-organizationName=International Business Machines Corporat,id-at-localityName=Ar
          signedCertificate
            version: v3 (2)
            serialNumber: 7xxxxxxxxxxxxxxxx
            signature (sha256WithRSAEncryption)
            issuer: rdnSequence (0)
              rdnSequence: 7 items (pkcs-9-at-emailAddress=support@xxxxxx.com,id-at-commonName=xxxxxx,id-at-organizationalUnitName=Certificate       Authority,id-at-organizationName=xxxxxx,id-at-localityName=xxxxxxx,id-at-stateOrProvinceName=x
            validity
            subject: rdnSequence (0)
              rdnSequence: 6 items (id-at-commonName=*.securegateway.appdomain.cloud,id-at-organizationalUnitName=IBM Cloud,id-at-organizationName=International Business Machines Corporat,id-at-localityName=Armonk,id-at-stateOrProvinceName=New York,id-a
--> emailAddress=support@xxxxxx.com will be the customer's company address or their proxy server. 
This is NOT correct.. what we should see is this:
Certificate: 308207c1308206a9a00302010202100366c9825f650bdc77... (id-at-commonName=*.securegateway.appdomain.cloud,id-at-organizationalUnitName=IBM Cloud,id-at-organizationName=International Business Machines Corporat,id-at-localityName=Ar
Certificate: 308204943082037ca003020102021001fda3eb6eca75c888... (id-at-commonName=DigiCert SHA2 Secure Server CA,id-at-organizationName=DigiCert Inc,id-at-countryName=US)

Resolving The Problem

To resolve the problem, add the Secure Gateway head server, in this case "sgmanagertm1ams.integration.ibmcloud.com", to the proxy or trusted sites of the firewall.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSD29G","label":"IBM Planning Analytics"},"ARM Category":[{"code":"a8m0z000000GmwdAAC","label":"Troubleshooting->Secure Gateway"}],"ARM Case Number":"TS005182418","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
24 March 2021

UID

ibm16435571

Page Feedback