I have configured Access Manager to act as a Shibboleth IP for
Shibboleth SPs without issue. However, I have an unusual error with a
recent SP. The error is reported is:-

<b>System Event Time:</b> 2013-12-13 15:18:16 <b>Age:</b> 12M 3S
750Ms <b>Level:</b> Functional Loss
<b>Comments:</b><br>Unable to validate SAML2 Trusted Service Provider.
The trusted relationship with this entity will not be
functional!<br>Error Validating X509 Certificate of Trusted
Provider<br>Trusted Provider Type: SAML2 Trusted Service
Provider<br>Trusted Provider Id:
https://test.dmu.example.org/shibboleth<br>Error Validating X509 Signing
Certificate<br>X509 Certificate Version: 3<br>X509 Certificate Subject:
CN=*.avedas.com OU=Domain Control Validated - RapidSSL(R) OU=See
www.rapidssl.com/resources/cps (c)11 OU=GT64982178 O=*.avedas.com C=DE
SERIALNUMBER=wot/2STE3MDq5Q8WZcVE3nDkkg/2jQcf<br>X509 Certificate
Issuer: CN=RapidSSL CA O="GeoTrust Inc." C=US<br>X509 Certificate Serial
Number: 109763<br>X509 Certificate Start Date: 2011-05-10
21:49:04<br>X509 Certificate Expiration Date: 2014-05-13
04:15:03<br>X509 Certificate Validation Root Exception:
com.novell.nidp.NIDPException: Error processing OCSP Response for
certificate with subject : {0} Root Cause:
java.net.SocketTimeoutException: connect timed out<br>

I have imported the relevant root certificates into both the Trust Store
and OCSP Store on the Identity Cluster. But, this seems to be an issue
connecting to OCSP, but I have never seen this error before, and it does
not occur for the other SAML2 trusted providers. I have rebooted the
Identity Servers. I have also deleted the configuration and recreated
it (including the certs).

Does anyone have any ideas what is causing this?

Steve Tennant

sttennant's Profile: https://forums.netiq.com/member.php?userid=389
View this thread: https://forums.netiq.com/showthread.php?t=49460