Web Interface Callback Fails when Web Interface on NetScaler is Configured in Gateway Direct Mode and 2048-bit SSL Certificates

Web Interface Callback Fails when Web Interface on NetScaler is Configured in Gateway Direct Mode and 2048-bit SSL Certificates

book

Article ID: CTX132295

calendar_today

Updated On:

Description

When you configure the Web Interface on NetScaler with XenApp or XenDesktop Web Site for Gateway Direct mode, the Access Gateway Enterprise Edition virtual servers that use 2048-bit SSL certificates fail the Web Interface callback that is used to validate the session. In addition, users might see the following entries in the Tomcat local host log files:

INFO: ERROR: Event Log ID: 13001 An SSL connection could not be established...The certificate could not be validated
INFO: ERROR: Event Log ID: 18001 A communication error occurred while attempting to contact the Access Gateway authentication service...The message reported by the underlying platform was: ; nested exception is:

Environment

  • VPX or MPX version of NetScaler software release nCore 9.2 and later
  • Web Interface on NetScaler 1.1 to 1.3
  • Web Interface Site configured for Authentication at Access Gateway
  • An SSL Cipher using 128-bit or higher encryption
  • Java Cryptography Extension policy files is not applied

Resolution

To add support for stronger SSL Ciphers with Web Interface on NetScaler, complete the following procedure:

  1. Download and install the Oracle Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files:
    http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

  2. Extract and upload the files US_export_policy.jar and local_policy.jar to the /var/wi/java_home/lib/security directory.

    (Files can be uploaded to /var/wi/java_home/lib directory if security folder is not present.)

  3. Log on to the shell prompt on the Access Gateway Enterprise Edition appliance.

  4. Run the following command to reinitialize the JRE:
    root@nsmpx# killall java

  5. Test the access to Web Interface on NetScaler through the Access Gateway Enterprise Edition virtual server.

Note: This issue does not occur if you are using XenApp or XenDesktop Services Sites that does not support Gateway Direct mode and does not issue a callback to Access Gateway Enterprise Edition (AGEE) appliance to validate the session.

Problem Cause

Web Interface on NetScaler uses the Oracle Sun Java Diablo Latte Java Runtime Environment (JRE). By default, this JRE does not include the required cryptographic libraries to support stronger SSL Ciphers.

Issue/Introduction

When you configure the Web Interface on NetScaler with XenApp or XenDesktop Web Site for Gateway Direct mode, the Access Gateway Enterprise Edition virtual servers that use 2048-bit SSL certificates fails the Web Interface callback that is used to validate the session.

Additional Information

Java Maximum Key Sizes Allowed by "Strong" Jurisdiction Policy Files

Web Interface on NetScaler feature details

CTX127431 - How to Configure a Web Interface Site on a NetScaler Appliance by using the Web Interface Wizard

Powered by Wolken Software