Configuring SSL Secured Communication for SEP sesam Backup Network

From SEPsesam
Jump to: navigation, search
Other languages:
Deutsch • ‎English
Copyright © SEP AG 1999-2018. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

Docs latest icon.png Welcome to the latest SEP sesam documentation version 4.4.3 Tigon/4.4.3 Grolar. For previous documentation version(s), check Documentation archive.


Overview

As of 4.4.3 Tigon, SEP sesam uses SSL (Secure Sockets Layer) protocol to authenticate identities, encrypt and securely transfer data. SSL requires certificates to authenticate clients and establish a secure and trusted communication channel between SBC (sesam backup client) and STPD (sesam Transfer Protocol Server), thus preventing unauthorized access from clients to STPD. SEP sesam backup environment is protected with self-signed certificates, based on OpenSSL. SEP sesam does not provide certificates by default; they have to be created by an administrator and copied to clients and RDSs in the backup network.

  1. Create self-signed root Certificate Authority (CA) on the SEP sesam Server
  2. Create server and client certificates on the SEP sesam Server and copy them to server and clients
  3. Generate and copy server certificate for each RDS
  4. Edit configuration file on each client and server or RDS
  5. In case a client certificate cannot be trusted anymore, revoke the certificate.
  6. Call a function on SEP sesam Server to get authorization.

Directory structure for the SSL certificates

The following directory structure is used for storing the SSL certificates and related parameters:

What

Where

SEP sesam configuration files:sm.ini andstpd.ini

/var/opt/sesam/var/ini

Root SSL certificate and master key:rootCA.pem androotCA.key

/var/opt/sesam/var/ini/ca

Generated client certificate and key:client.pem andclient.key

/var/opt/sesam/var/ini/x.509

Generated server certificate and key:server.pem andserver.key

/var/opt/sesam/var/ini/ssl

Steps

Creating self-signed root Certificate Authority (CA) on the SEP sesam Server

  1. On the SEP sesam Server, remove any old self-generated SSL keys from
  2. /var/opt/sesam/var/ini/ssl
    
  3. Then create directories /ca and /x.509 to store your keys and certificates.
  4. /var/opt/sesam/var/ini/ca
    /var/opt/sesam/var/ini/x.509
    
  5. To create the root certificate, run the sm_ssl_cert ca command line utility as shown:
  6.  /opt/sesam/bin/sms/sm_ssl_cert ca 
    

In the folder /var/opt/sesam/var/ini/ca, the process creates two files:

  • A master key, also known as rootCA.key; keep this key private as it is needed for generation of new server and client certificates and is the basis of trust for all your certificates.
  • Information sign.png Note
    After generating server and client keys, you should remove the rootCA.key from the server and keep it in a safe place.
  • A root SSL certificate rootCA.pem; it is used to verify existing server and client certificates. Make sure that the root CA has a long expiry date. Once it is expired, all certificates signed by it become invalid. This certificate must be present on all clients connecting to servers signed with the CA certificate.

Once you have created the CA certificate and key, you can create and sign certificates.

Creating server and client certificates on the SEP sesam Server

  1. First, you have to create the server certificate on the SEP sesam Server:
  2. /opt/sesam/bin/sms/sm_ssl_cert server --common-name=<hostname>
    

    where <hostname> must be the same as the name specified in the interface settings in GUI (Main Selection -> Components -> Topology -> Clients, <server_name> -> field Interfaces).

    You can also use the IP address for <hostname> or use an * (asterisk) in the hostname, e.g., *.serverdomain.com or 192.168.1.*. Multiple server or domain names must be separated by a comma, e.g.:

    /opt/sesam/bin/sms/sm_ssl_cert server --common-name=myserver,myserver.domain.com
    

    Once done, there are two new files in the folder /var/opt/sesam/var/ini/ssl:

    server.pem 
    server.key
    
  3. For each server, copy the files as follows:
    • copy rootCA.pem to /var/opt/sesam/var/ini/ca
    • copy client.pem to /var/opt/sesam/var/ini/x.509
    • copy client.key to /var/opt/sesam/var/ini/x.509
  4. Then, create the client certificate on the SEP sesam Server:
  5. /opt/sesam/bin/sms/sm_ssl_cert client 
    

    Optionally, you can create client.pem/client key with unique subject field by using:

    /opt/sesam/bin/sms/sm_ssl_cert client --oid={options}
    

    {options}: comma separated list of

       C:{country_name}             - country name
      CN:{common_name}              - common name
      DQ:{dn_qualifier}             - dn qualifier
      GN:{given_name}               - given name
      GQ:{generation_qualifier}     - generation qualifier
       I:{initials}                 - initials of some or all of an individual's names, but not the surname(s)
       L:{locality_name}            - locality name
       N:{name}                     - name
       O:{organization_name}:       - organization name
      OU:{organizational_unit_name} - organization unit name
       P:{pseudonym}                - pseudonym
      PC:{postalcode}               - postalcode
       S:{surname}                  - surname
       T:{title}                    - title
    

    Once done, there are two new files in the folder /var/opt/sesam/var/ini/x.509:

    client.pem 
    client.key 
    
  6. For each client, copy the files to it as follows:
    • copy rootCA.pem to /var/opt/sesam/var/ini/ca
    • copy client.pem to /var/opt/sesam/var/ini/x.509
    • copy client.key to /var/opt/sesam/var/ini/x.509

Generating and copying server certificates for each RDS

If you want your RDSs to have its own server certificate, you have to generate server certificate for each RDS. In this case, the SEP sesam Server and every RDS have its own server certificate signed with the same self-signed root CA. This configuration allows to back up a client either to SEP sesam Server or any RDS.

  1. To generate server certificate for each RDS, run the following command:
  2. /opt/sesam/bin/sms/sm_ssl_cert server --common-name=<RDS_hostname> --path=<RDS_server_certificate_path>
    
  3. Copy the generated server.pem and server.key files from <RDS_server_certificate_path> to each RDS into the folder /var/opt/sesam/var/ini/ssl.
  4. Copy rootCA.pem to each RDS into the folder /var/opt/sesam/var/ini/ca.
Information sign.png Note
All generation is performed only on server.

Edit configuration file on each client and server or RDS

On SEP sesam Client
  1. Locate the /var/opt/sesam/var/ini/sm.ini file on the SEP sesam Client. Open the sm.ini file using a text editor and set the following:
  2. [SBC_SSL]
    SBC_CLIENT_SSL_AUTH=1   #For client-side verification
    SBC_SSL_SERVER_VERIFY=1 #For server-side verification
    
  3. Once you have changed the settings, save your changes and restart the client for the changes to take effect.
On SEP sesam Server or RDS
  1. Locate the /var/opt/sesam/var/ini/stpd.ini file on the SEP sesam Server. Open the stpd.ini file using a text editor and set the following:
  2. [STPD_Server]
    STPD_HTTPS_USE_CLIENT_CERT=2 #Possible values: 0: Do not validate
                                                   1: Validate but show warning 
                                                   2: Validate and show error
    
  3. Once you have changed the settings, save your changes and restart the server for the changes to take effect.

Revoking client certificate

If a client certificate cannot be trusted anymore (e.g., it was leaked), then it is important to invalidate the client certificate. In case the certificate was leaked and malicious clients are using the certificate, then the server needs a way to identify the invalid certificate and prohibit clients connecting with this certificate. One option is to use Certificate Revocation Lists (CRLs). CRLs are a list of all invalid certificates.

To add client certificate (client.pem) into CRL, proceed as follows:

  1. Create directories:
  2. /var/opt/sesam/var/ini/revoked
    
  3. Create Certificate Revocation Lists (CRLs) on the server:
  4. /opt/sesam/bin/sms/sm_ssl_cert revoke --certificate="/var/opt/sesam/var/ini/x.509/client.pem"
    
    Information sign.png Note
    Certificate Revocation Lists creation works only on Linux. Looks like the problem on Windows is old (probably own build/configured) version of GnuTLS lib. To create CRL file on Windows, you have to download GnuTLS from the ftp gnutls.
    Two files will be created in /var/opt/sesam/var/ini/revoked:
    crt
    certs.pem
    
  5. In case of RDS configuration, copy also to RDS PC:
  6. crt ==> /var/opt/sesam/var/ini/revoked
    

Example

If a client with revoked certificate tries to connect to a server:

2016-08-30 18:05:01: sbc-3536: Info:     # SEP XBSA, VERSION: 4.4R3 Build: e77d80b, Released: Aug 30 2016 #
2016-08-30 18:05:01: sbc-3502: Info:     XBSA: XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-30 18:05:01: sbc-3500: Info:     Verify SSL Server Cert: 1
2016-08-30 18:05:01: sbc-3502: Info:     XBSA: URL: https://SEP-RDSWin10:11443
2016-08-30 18:05:01: sbc-3502: Info:     XBSA: SSL integrity check enabled
2016-08-30 18:05:01: sbc-3502: Info:     XBSA: SSL client authentication is enabled
2016-08-30 18:05:01: sbc-3502: Info:     XBSA: BSACreateObject: Error:  GNUTLS_CERT_REVOKED
20160830 18:05:01.709 [3428] ConnectionHandlerCb:: new connection
20160830 18:05:01.709 [3428] ConnectionHandlerCb:: Call connection callback
20160830 18:05:01.710 [3428] SSLConnectionCb:: Starting SSL connection
20160830 18:05:01.710 [3428] SSL mode. Checking for client certificate
20160830 18:05:01.731 [3428] SSL error: Error:  GNUTLS_CERT_REVOKED

At the same time the other client with other client.pem/client.key tries to connect to a server:

2016-08-30 18:06:33: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: e77d80b, Released: Aug 30 2016 #
2016-08-30 18:06:33: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-30 18:06:33: sbc-3502: Info:    XBSA:  URL: https://SEP-RDSWin10:11443
2016-08-30 18:06:33: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-30 18:06:33: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
...
2016-08-30 18:06:33: sbc-3007: Info:    Operation successful.

Useful commands

curl -X "PUT" -F file=@c:\windows\system32\drivers\etc\hosts -H "XBSA-USER:SESAM_SECURE_AUTHENTICATION" -H  "XBSA-PASS:" \
-H "XBSA-TYPE:I" -H "XBSA-CWD:." -H "XBSA-STOR:TestBak.bak" -H "XBSA-QUIT" https://aoseredchuk-PC:11443 \
--key "c:\Program Files\SEPsesam\var\ini\x.509\client.key" --cacert "c:\Program Files\SEPsesam\var\ini\ca\rootCA.pem" \
--cert "c:\Program Files\SEPsesam\var\ini\x.509\client.pem" --ipv4 --tlsv1.0 --verbose
openssl s_client -connect aoseredchuk-PC:11443 -CAfile "c:\Program Files\SEPsesam\var\ini\ca\rootCA.pem" \
-cert "c:\Program Files\SEPsesam\var\ini\x.509\client.pem" -key "c:\Program Files\SEPsesam\var\ini\x.509\client.key"
openssl x509 -in "c:\Program Files\SEPsesam\var\ini\ca\rootCA.pem" -noout -text
openssl x509 -in "c:\Program Files\SEPsesam\var\ini\x.509\client.pem" -noout -text

Certificate testing

Test with correct certificates

Clients authentication: [successful]

[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=0

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:00:45: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:00:45: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:00:45: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:00:45: sbc-3502: Info:    XBSA:  Warning: SSL integrity check disabled
2016-08-29 15:00:45: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
...
2016-08-29 15:00:46: sbc-3007: Info:    Operation successful.

Server authentication: [successful]

[SBC_SSL]
SBC_CLIENT_SSL_AUTH=0
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:34:50: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:34:50: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:34:50: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:34:50: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:34:50: sbc-3502: Info:    XBSA:  SSL client authentication is disabled
...
2016-08-29 15:34:52: sbc-3007: Info:    Operation successful.

Double authentication: [successful]

[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:01:13: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:01:13: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:01:13: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:01:13: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:01:13: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
...
2016-08-29 15:01:13: sbc-3007: Info:    Operation successful.

Test with wrong client.key/pem certificates

Clients authentication: [failed]

[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=0

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:01:59: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:01:59: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:01:59: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:01:59: sbc-3502: Info:    XBSA:  Warning: SSL integrity check disabled
2016-08-29 15:01:59: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
2016-08-29 15:01:59: sbc-3502: Info:    XBSA:  BSACreateObject: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
2016-08-29 15:01:59: sbc-3500: Info:    XBSA returned: Cannot create object with given descriptor.
2016-08-29 15:01:59: sbc-1009: Error:   XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
2016-08-29 15:01:59: sbc-3005: Info:    Closing saveset.
2016-08-29 15:01:59: sbc-3310: Info:    Checksum (adler32): 1. (test)
2016-08-29 15:01:59: sbc-3052: Info:    Items processed correctly: [0]. Not processed or incorrectly processed items: [0]. (test)
2016-08-29 15:01:59: sbc-1156: Error:   Operation failed!
20160829 15:01:59.878 [16340] ConnectionHandlerCb:: new connection
20160829 15:01:59.878 [16340] ConnectionHandlerCb:: Call connection callback
20160829 15:01:59.879 [16340] SSLConnectionCb:: Starting SSL connection
20160829 15:01:59.879 [16340] SSL mode. Checking for client certificate
20160829 15:01:59.880 [16340] SSL error: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND

Server authentication: [successful]

[SBC_SSL]
SBC_CLIENT_SSL_AUTH=0
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:33:05: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:33:05: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:33:05: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:33:05: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:33:05: sbc-3502: Info:    XBSA:  SSL client authentication is disabled
...
2016-08-29 15:33:07: sbc-3007: Info:    Operation successful.

Double authentication: [failed]

[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:01:46: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:01:46: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:01:46: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:01:46: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:01:46: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
2016-08-29 15:01:47: sbc-3502: Info:    XBSA:  BSACreateObject: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
2016-08-29 15:01:47: sbc-3500: Info:    XBSA returned: Cannot create object with given descriptor.
2016-08-29 15:01:47: sbc-1009: Error:   XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
2016-08-29 15:01:47: sbc-3005: Info:    Closing saveset.
2016-08-29 15:01:47: sbc-3310: Info:    Checksum (adler32): 1. (test)
2016-08-29 15:01:47: sbc-3052: Info:    Items processed correctly: [0]. Not processed or incorrectly processed items: [0]. (test)
2016-08-29 15:01:47: sbc-1156: Error:   Operation failed!
20160829 15:01:46.987 [18740] ConnectionHandlerCb:: new connection
20160829 15:01:46.987 [18740] ConnectionHandlerCb:: Call connection callback
20160829 15:01:46.987 [18740] SSLConnectionCb:: Starting SSL connection
20160829 15:01:46.988 [18740] SSL mode. Checking for client certificate
20160829 15:01:46.989 [18740] SSL error: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND

Test with wrong rootCA.pem certificates

Clients authentication: [successful]

[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=0

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:28:21: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:28:21: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:28:21: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:28:21: sbc-3502: Info:    XBSA:  Warning: SSL integrity check disabled
2016-08-29 15:28:21: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
...
2016-08-29 15:28:26: sbc-3007: Info:    Operation successful.

Server authentication: [failed]

[SBC_SSL]
SBC_CLIENT_SSL_AUTH=0
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:48:54: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:48:54: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:48:54: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:48:54: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:48:54: sbc-3502: Info:    XBSA:  SSL client authentication is disabled
2016-08-29 15:48:57: sbc-3502: Info:    XBSA:  BSACreateObject: Client SSL certificate is missing or invalid
2016-08-29 15:48:57: sbc-3500: Info:    XBSA returned: Cannot create object with given descriptor.
2016-08-29 15:48:57: sbc-1009: Error:   XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Client SSL certificate is missing or invalid
20160829 15:48:54.800 [2808] ConnectionHandlerCb:: new connection
20160829 15:48:54.800 [2808] ConnectionHandlerCb:: Call connection callback
20160829 15:48:54.801 [2808] SSLConnectionCb:: Starting SSL connection
20160829 15:48:56.218 [2808] SSL mode. Checking for client certificate
20160829 15:48:57.028 [2808] SSL error: Client SSL certificate is missing or invalid

Double authentication: [successful]

[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:49:56: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:49:56: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:49:56: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:49:56: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:49:56: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
...
2016-08-29 15:50:03: sbc-3007: Info:    Operation successful.

Test with wrong rootCA.pem and client.key/pem certificates

Clients authentication: [failed]

[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=0

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:44:50: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:44:50: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:44:50: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:44:50: sbc-3502: Info:    XBSA:  Warning: SSL integrity check disabled
2016-08-29 15:44:50: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
2016-08-29 15:44:53: sbc-3502: Info:    XBSA:  BSACreateObject: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
20160829 15:44:50.877 [18796] ConnectionHandlerCb:: new connection
20160829 15:44:50.878 [18796] ConnectionHandlerCb:: Call connection callback
20160829 15:44:50.878 [18796] SSLConnectionCb:: Starting SSL connection
20160829 15:44:52.451 [18796] SSL mode. Checking for client certificate
20160829 15:44:53.158 [18796] SSL error: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND

Server authentication: [failed]

[SBC_SSL]
SBC_CLIENT_SSL_AUTH=0
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:42:36: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:42:36: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:42:36: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:42:36: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:42:36: sbc-3502: Info:    XBSA:  SSL client authentication is disabled
2016-08-29 15:42:39: sbc-3502: Info:    XBSA:  BSACreateObject: Client SSL certificate is missing or invalid
2016-08-29 15:42:39: sbc-3500: Info:    XBSA returned: Cannot create object with given descriptor.
2016-08-29 15:42:39: sbc-1009: Error:   XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Client SSL certificate is missing or invalid
20160829 15:42:37.051 [11924] ConnectionHandlerCb:: new connection
20160829 15:42:37.052 [11924] ConnectionHandlerCb:: Call connection callback
20160829 15:42:37.052 [11924] SSLConnectionCb:: Starting SSL connection
20160829 15:42:38.363 [11924] SSL mode. Checking for client certificate
20160829 15:42:39.072 [11924] SSL error: Client SSL certificate is missing or invalid

Double authentication: [failed]

[SBC_SSL]
SBC_CLIENT_SSL_AUTH=1
SBC_SSL_SERVER_VERIFY=1

[STPD_Server]
STPD_HTTPS_USE_CLIENT_CERT=2
2016-08-29 15:41:39: sbc-3536: Info:    # SEP XBSA, VERSION: 4.4R3 Build: 4a628b6, Released: Aug 23 2016 #
2016-08-29 15:41:39: sbc-3502: Info:    XBSA:  XBSA BSA_API_VERSION (Issue.Version.Level): 2.1.1
2016-08-29 15:41:39: sbc-3502: Info:    XBSA:  URL: https://aoseredchuk-PC:11443
2016-08-29 15:41:39: sbc-3502: Info:    XBSA:  SSL integrity check enabled
2016-08-29 15:41:39: sbc-3502: Info:    XBSA:  SSL client authentication is enabled
2016-08-29 15:41:42: sbc-3502: Info:    XBSA:  BSACreateObject: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
2016-08-29 15:41:42: sbc-3500: Info:    XBSA returned: Cannot create object with given descriptor.
2016-08-29 15:41:42: sbc-1009: Error:   XBSA Call BSACreateObject failed with message: Access to the requested object is not possible. Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND
20160829 15:41:39.831 [0728] ConnectionHandlerCb:: new connection
20160829 15:41:39.831 [0728] ConnectionHandlerCb:: Call connection callback
20160829 15:41:39.832 [0728] SSLConnectionCb:: Starting SSL connection
20160829 15:41:41.218 [0728] SSL mode. Checking for client certificate
20160829 15:41:41.927 [0728] SSL error: Error:  GNUTLS_CERT_INVALID GNUTLS_CERT_SIGNER_NOT_FOUND