UMS Does Not Connect to ICG: "TrustAnchor ...is not a CA certificate"

Symptom

The UMS fails to connect to the IGEL Cloud Gateway (ICG). The following message appears in the GUI or in the log file:

TrustAnchor ...is not a CA certificate

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: sun.security.validator.ValidatorException: TrustAnchor with subject "CN=UMS-CLUSTER--xxx, O=test, L=test, C=US" is not a CA certificate
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:380)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:273)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:327)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:236)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:113)
at de.igel.apps.usg.connection.ssl.TrustedOnlyTrustManager.checkServerTrusted(TrustedOnlyTrustManager.java:74)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1099)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1622)
... 54 more

Environment

• UMS 6.04 or higher
• ICG with older root certificates created with UMS 5.07 or UMS 5.08

Problem 

Older ICG root certificates (created with UMS 5.07 or UMS 5.08) do not have the right CA modifier, which was never a problem with previous Java versions. But the Java version used in UMS 6.4.x onwards blocks these certificates.

To check whether you have an old ICG root certificate:

1. Open the UMS Console, go to UMS Administration > Global Configuration > Cloud Gateway and select your ICG root certificate.
2. Click  to read the certificate content.
   If Certificate Authority is set to "false", you have an old ICG root certificate.

Solution

If you do not want to exchange the ICG root certificate (involves installing the ICG anew and re-registering all endpoint devices), you can add a start parameter that tells the UMS Server to ignore the CA flag in the certificate.

This start parameter will be overwritten on each UMS update installation, so you must set it again after the update.

Follow the instructions below, according to your operating system.

For Windows

1. Open the Windows Services dialog and stop the service IGELRMGUIServer.
2. Navigate to the directory  <UMS installation directory>\RemoteManager\rmguiserver\bin (example: C:\Program Files (x86)\IGEL\RemoteManager\rmguiserver\bin)
3. Double-click on editTomcatService.
4. Confirm the warning dialog.
5. Select the Java tab.
6. Under Java Options, add the following entry as a new line:
   -Djdk.security.allowNonCaAnchor=true
7. Click Ok to save the changes.
8. In the Windows Services dialog, start the service IGELRMGUIServer.

For Linux

1. Stop the service igelRMserver
2. Navigate to the directory /opt/IGEL/RemoteManager/rmguiserver/bin
3. Open the file igelRMserver
4. Find the two entries -Xmx4096 and add a new line before each entry with the following content:
   -Djdk.security.allowNonCaAnchor=true
5. Save the changes.
6. Start the service igelRMserver