cancel
Showing results for 
Search instead for 
Did you mean: 

How to fix warning about SSL server certificate validation in LaMa Enterprise 3.0 / Java 7.50?

marie_renneke
Participant
0 Kudos
1,270

Hey experts,

the following warning for is periodically flooding our LaMa Enterprise 3.0 Java security log:

The client proxy is making a SSL connection to https://<host.domain>:1129 without validating the SSL server certificate. Please change the configuration to validate the SSL server certificate.

In the attachment you can see one of the messages in detail.

2723977 is the only related SAP note I could find, but it just describes how to change the severity of this message from warning to error, which...will not help 😉

Of course I tried to check the Consumer Proxies configuration in Single Service Administration regarding the Ignore server certifcates (insecure) option, hence this seems to be the cause for this warning according to SAP note 2723977. But I have no idea which entry is relevant here. The one thing they all have in common: Ignore server certifcates (insecure) is activated by default.

Do you have any idea, if this can be fixed by changing a specific entries config to Accept Certificates in Keystore View: WebServiceSecurity, which entry needs to be configured and what the side-effects of this configuration for LaMa could be?

Maybe some of you have already had a similiar issue...

Thanks & regards, Marie

2023-11-24-11-44-07-window.png

Accepted Solutions (1)

Accepted Solutions (1)

h_yankov
Member

Hi Marie,

To enable the SSL server certificate validation in LaMa, you can disable the relevant "Ignore SSL Server Certificates for..." checkboxes in Setup > Engine.

For more details, please refer to the documentation page below:

Configuring Security Settings

The certificate entries should be configured in the "LVMView" in "Certificates and Keys: Key Storage" in NWA.

Best Regards,

Hristo

marie_renneke
Participant
0 Kudos

Hey Hristo,

I just uploaded the CA Certificate to LVMView and disabled the "Ignore SSL Server Certificate for Host Agent" checkbox - this stopped the warning message flood immediately!

Big thanks to you, this saved my day 🙂

best wishes, Marie

Answers (1)

Answers (1)

Prosper_Muzuva
Discoverer
0 Kudos

Hi Marie

As a suggestion in addition to the note 2723977

Can you verify if SSL is configured in NWA, if it is, check under certificates and keys, you should see a keystore view named Trusted CAs. Add the relevant root certificates (from the url in the error message) in there and then go back to your config and select accept certificates in keystore view - select 'Trusted CAs'

It's an SSL feature and shouldn't break your system

marie_renneke
Participant
0 Kudos

Hey prosper Muzuva,

thanks for your reply. SSL is configured. I uploaded the root certificates in the Trusted CAs keystore view + into the Trusted CAs tab in SSL configuration (don't think it's necessary, but won't hurt ;)) and restarted the ICM. Had no effect. I guess we somehow have to change the setting in some logical port of some Consumer Proxies, but I'm still not sure, which is the right one and what happens if I do so...

Thanks & regards