Troubleshooting
Problem
IBM Secure Gateway has been installed and configured. Gateway ID and Security Token are valid but the SG client will not start up successfully.
Symptom
Secure Gateway logs have captured the following error:
The Secure Gateway client will fetch its configuration from https://sgmanagertm1ams.integration.ibmcloud.com/sgconfig/qecQxXVoAmh_tm1ams_dedicated
The ACL file provided during startup will not be imported until a connection has been established to your gateway.
The response is code: UNABLE_TO_VERIFY_LEAF_SIGNATURE, message: unable to verify the first certificate
Process exiting without errors due to user or server request
The ACL file provided during startup will not be imported until a connection has been established to your gateway.
The response is code: UNABLE_TO_VERIFY_LEAF_SIGNATURE, message: unable to verify the first certificate
Process exiting without errors due to user or server request
Cause
There is either a proxy or a firewall on the client side querying the outbound request to the Cloud. It has inserted itself into the IBM Certificate chain rendering it invalid.
Environment
IBM Planning Analytics on Cloud
IBM Secure Gateway
Diagnosing The Problem
To diagnose the problem, a Wireshark trace was obtained.
Note, the IPs and client certificates have been removed for security reasons
WireShark trace:
We see the secure gateway client reaching out to the tunnel server:
6806 36.857160 ClientIP ServerIP TLSv1.2 335 Client Hello
Then we see the tunnel server replying:
6866 37.276965 ServerIP ClientIP TLSv1.2 1404 Server Hello
Next we see an exchange of cert/key:
6868 37.276966 Server
6868 37.276966 Server
IP ClientIP TLSv1.2 1206 Certificate, Server Key Exchange, Server Hello Done
Within this packet, we can see the certificate chain:
Certificate: 30820c5c30820b44a003020102020869f90dd67681e09130... (id-at-commonName=*.securegateway.appdomain.cloud,id-at-organizationalUnitName=IBM Cloud,id-at-organizationName=International Business Machines Corporat,id-at-localityName=Ar
signedCertificate
version: v3 (2)
serialNumber: 7xxxxxxxxxxxxxxxx
signature (sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 7 items (pkcs-9-at-emailAddress=support@xxxxxx.com,id-at-commonName=xxxxxx,id-at-organizationalUnitName=Certificate Authority,id-at-organizationName=xxxxxx,id-at-localityName=xxxxxxx,id-at-stateOrProvinceName=x
validity
subject: rdnSequence (0)
rdnSequence: 6 items (id-at-commonName=*.securegateway.appdomain.cloud,id-at-organizationalUnitName=IBM Cloud,id-at-organizationName=International Business Machines Corporat,id-at-localityName=Armonk,id-at-stateOrProvinceName=New York,id-a
signedCertificate
version: v3 (2)
serialNumber: 7xxxxxxxxxxxxxxxx
signature (sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 7 items (pkcs-9-at-emailAddress=support@xxxxxx.com,id-at-commonName=xxxxxx,id-at-organizationalUnitName=Certificate Authority,id-at-organizationName=xxxxxx,id-at-localityName=xxxxxxx,id-at-stateOrProvinceName=x
validity
subject: rdnSequence (0)
rdnSequence: 6 items (id-at-commonName=*.securegateway.appdomain.cloud,id-at-organizationalUnitName=IBM Cloud,id-at-organizationName=International Business Machines Corporat,id-at-localityName=Armonk,id-at-stateOrProvinceName=New York,id-a
--> emailAddress=support@xxxxxx.com will be the customer's company address or their proxy server.
This is NOT correct.. what we should see is this:
Certificate: 308207c1308206a9a00302010202100366c9825f650bdc77... (id-at-commonName=*.securegateway.appdomain.cloud,id-at-organizationalUnitName=IBM Cloud,id-at-organizationName=International Business Machines Corporat,id-at-localityName=Ar
Certificate: 308204943082037ca003020102021001fda3eb6eca75c888... (id-at-commonName=DigiCert SHA2 Secure Server CA,id-at-organizationName=DigiCert Inc,id-at-countryName=US)
Certificate: 308204943082037ca003020102021001fda3eb6eca75c888... (id-at-commonName=DigiCert SHA2 Secure Server CA,id-at-organizationName=DigiCert Inc,id-at-countryName=US)
Resolving The Problem
To resolve the problem, add the Secure Gateway head server, in this case "sgmanagertm1ams.integration.ibmcloud.com", to the proxy or trusted sites of the firewall.
Document Location
Worldwide
[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSD29G","label":"IBM Planning Analytics"},"ARM Category":[{"code":"a8m0z000000GmwdAAC","label":"Troubleshooting->Secure Gateway"}],"ARM Case Number":"TS005182418","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
24 March 2021
UID
ibm16435571