QAID # 13388 Published
Question / Problem:
I am using client-side digital certificates and receiving HTTP 40x errors when trying to connect a Remote Site to the Central Site server.
How can I resolve this issue?
Answer / Solution:
There are a number of factors that may contribute to the RSA not being able to properly pull/present the digital certificate, and access the Central Site.
These include the following and are recommendations for troubleshooting the cause of the 400 and similar 40x HTTP RSA errors when using client-side digital certificates:
- Make sure that the digital certificate is valid (not expired / has no exclamation point when it is viewed after importing).
- Ensure that both the client workstation AND the Central Site server have the issuing CA (certificate authority) of the client-side certificate in the Trusted Root Certification Authorities in Internet Explorer settings (Tools ¦ Internet Options ¦ Content [tab] ¦ Certificates [button]).
- If a reverse proxy (e.g., TAM - Tivoli Access Manager) is used to authenticate the client-side digital certificate, make sure it has been added to its list of verified/allowable certificates.
- When importing the digital certificate, make sure no security setting is set that requires prompting when the certificate is used by an application.
Two settings that will prevent the RSA from using the certificate:
- An Allow or Deny prompt is presented the first time an application attempts to use the certificate,
- A password prompt is presented when an application attempts to use the certificate.
If there is an alternate Central Site configured (even if it is not assigned/used), update the passwords on that site as well (KC 8 and newer). Alternatively, if it is not being used, remove the alternate site via the Central Site Profile Manager.
Keywords: Convert Remote Site 400, Bad Request, 401 Unauthorized, 403 Forbidden, 407 Proxy Authentication Required, 40x