Salesforce

KB-8961: MFA with DirectControl fails after upgrading to 5.4.1 or greater

Printable View
« Go Back

Information

 
TitleKB-8961: MFA with DirectControl fails after upgrading to 5.4.1 or greater
URL NameKB-8961-MFA-with-DirectControl-fails-after-upgrading-to-5-4-1
Knowledge Article TypeHow To’s
Article TypeKnowledge
ArticleType 
ProductAuthentication Service
ComponentUNIX/Linux Agent
Version5.4.2; 5.4.1; Suite 2017; Suite 2017.1; Suite 2017.2
TagsMFA, SSL, cert, fail, connection error, local issuer certificate, certificate, On-prem, OPIE, customer managed, HP-UX
Internal Comments
Article Edits
Bug #CSSSUP-8634
Solution ID
Knowledge Base Article Details
Problem:

After upgrading Centrify Direct Control to 5.4.1 or greater MFA no longer works. 


Cause:

Starting in Suite 2017.1 (5.4.1), Centrify added additional security enhancements with certificate checking. The DirectControl agent now validates the certificate of the Centrify Identity Platform (CIP) to prevent the possibility of a spoofed certificate. 


Resolution:

Please run the following to check for errors: 
/usr/share/centrifydc/bin/adcdiag

Open the log created by this utilitiy and check for the following error message:
SSL certificate problem: unable to get local issuer certificate


For Centrify Privilege Service On-premise/Customer Managed:
A) Download and Add the Centrify Identity Platform Certificate
1. Log into the Portal
2. View/download the certificate:
For a Chrome browser:
Hit f12 -> select security -> Certification Path -> Select Root CA ->  view certificate -> details -> copy to file -> next -> DER format -> Next -> Name the cert and save. 
3. Import the certificate to GP:
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities.
4. Run adgpupdate

For Centrify Privilege Service Cloud:
A) Ensure you have a ca-bundle.crt to trust the issuer of the platform certificate.
If you do not have a ca-bundle.crt run the following:
curl --insecure https://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt
 
If you are running a older release or if your ca-bundle.crt is expired:
For example on RHEL:
cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.save
curl --insecure https://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt
OR
yum update ca-certificates
OR
Download the attached cacert.pem and save it to your machine. Run the following to override the existing bundle with the updated CA certificates:
mv /tmp/cacert.pem /etc/pki/tls/certs/ca-bundle.crt

Note: adclient looks for the CA bundle in the following locations:
/etc/ssl/certs/ca-certificates.crt
/etc/pki/tls/certs/ca-bundle.crt
/user/share/ssl/certs/ca-bundle.crt
/usr/local/share/certs/ca-root-nss.crt
/etc/ssl/cert.pem
/etc/certs/ca-certificates.crt

Make sure to move the downloaded file to one of the above locations. 

OR

In /etc/centrifydc/centrifydc.conf add the location to the following parameter:
adclient.cloud.cert.store: <Location of CA cert> 
 
Note: adcdiag will not check the above override parameter and will still show as failed. Test the completion of the above parameter by attempting an MFA login.


*** The following method is insecure and should be used for Eval/testing/troubleshooting only ***
B) Skip check of local issuer certificate. 
1.  Run /usr/share/centrifydc/bin/adcdiag -K
  • -k will skip verification of CA cert for the cloud connector
  • -K will skip the check of the CIP host cert. 
​2. Add the following in /etc/centrifydc/centrifydc.conf:
adclient.cloud.skip.cert.verification: true
Created BySteven Feltner
Solution CreatorSteven Feltner
DraftNot Checked
LithiumId
Lithium_Board_Id
Lithium_View_Href
Tags 
Category 
ArticleImage
Known IssuesNot Checked
Powered by