Determining Root Cause when Registration of Aginity Pro Fails

Problem

Aginity Pro uses HTTPS to transmit user registration information to our licensing server and receives a license key through our Java application.

If the registration fails it may be due to antivirus software performing SSL scanning and acting as a proxy between our license server and the client software.  When this happens our licensing server may reject the certificate if it is not properly signed.  

The error message you may receive will look like this.

avError.png

In our log files which can be found in the Help - Open Log File you will see an error similar to this.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This article will help you understand the nature of the issue and options you have to resolve it.  Furthermore, we will be releasing a feature in the Aginity Pro that will notify you explicitly if the Java application is rejecting the certificate and will direct you to a web site to obtain a license via a browser versus relying on the Java application to generate it. 

Cause

Whenever Java attempts to connect to another application over SSL (e.g.: HTTPS, IMAPS, LDAPS), it will only be able to connect to that application if it can trust it. The way trust is handled in the Java world is that you have a keystore (typically $JAVA_HOME/lib/security/cacerts), also known as the truststore. This contains a list of all known Certificate Authority (CA) certificates, and Java will only trust certificates that are signed by one of those CAs or public certificates that exist within that keystore.

Antivirus Software with SSL Scanning

If you are using antivirus software with SSL Scanning enabled, chances are Java is rejecting the certificate the antivirus software is supplying.  This can typically be overcome by telling a browser to trust the antivirus software certificate but with Java programs it is a little harder since no browser is being used.  To work with Java each downloading user would have to add a certificate to the Java keystore we ship our product with which is not an easy solution.

This article from McAfee does a really good job explaining how the SSL Scanning technology works in general.

Resolution

There are several resolutions to address this issue with varying degrees of complexity.  

Resolving the Issue by Whitelisting Licensing Server URL

By whitelisting the URL for the Aginity Licensing server, you are telling the antivirus service to bypass it on SSL scanning.  The server URL you will want to white list is:  https://licensing.aginity.com

Resolving Issue by Making sure the Proxy Certificate from Antivirus Software is Trusted

Refer to your antivirus software manual on how to configure the SSL Scanning proxy with a trusted certificate versus the default which is usually untrusted.  If it is trusted when the Java programs sees it, no error will be issued. The excerpt below is from McAfee's manual on installing the proxy certificate.

"You have two options to configure a Certificate Authority on the appliance:

First, you can generate a Certificate Authority directly within the user interface.  Within the Web Gateway product guide, navigate to ‘Chapter 10 -> Web Filtering -> SSL Scanning -> Replace the default root certificate authority -> Create a root certificate Authority’.  Once this CA is generated, you can export that cert and push it out to your client workstations so they can trust it.

Second, you can import a local certificate authority onto the appliance.  Many organizations use a local certificate authority (such as Microsoft’s CA) to sign their internal certs, and usually these are already trusted by domain workstations. Within the Web Gateway product guide, navigate to ‘Chapter 10 -> Web Filtering -> SSL Scanning -> Replace the default root certificate authority -> Import a root certificate Authority’.   For more information about generating the CA from your Microsoft CA, use KB75037 (http://mcaf.ee/wgcbf)."

Generating Key Manually from Aginity Licensing Self Service Web Site

Going forward we will post our self-service licensing web site here.  The main difference with using the web site is most likely your organization has already configured your browser to work with SSL Scanning and to trust the certificate sent from the Proxy.  

Link coming soon!

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.