An exception was caught trying to call A2A using a certificate

Hi all,

during API powershell call request Get-SafeguardA2aPassword, we have sometimes this error:

PS C:\Users\dog> Get-SafeguardA2aPassword -Appliance xxx.xxx.xxx.xxx -Insecure -CertificateFile C:\Users\dog\Desktop\combined.pfx -ApiKey k/Eg9qjSn+VQdg3E1K09+eFASGh4OcPI2+B9AhHKfnY=
WARNING: An exception was caught trying to call A2A using a certificate.
WARNING: If you are experiencing a certificate connection failure, your problem may be a quirk on Windows where
WARNING: the low-level HTTPS client requires that the Issuing CA be in your 'Intermediate Certificate Authorities'
WARNING: store, otherwise Windows doesn't think you have a matching certificate to send in the initial client
WARNING: connection. This occurs even if you pass in a PFX file specifying exactly which certificate to use.
401: Unauthorized -- 60094: Authorization is denied for this request.
At C:\Program Files\WindowsPowerShell\Modules\safeguard-ps\6.8.631\sg-utilities.psm1:138 char:5
+ throw $local:ExceptionToThrow
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], SafeguardMethodException
+ FullyQualifiedErrorId : 401: Unauthorized -- 60094: Authorization is denied for this request.

We configured SPP following the guide at this link but we don't find step on how-to configure, in chap 2, the user certificate, like as

"Create a certificate user"

Admin Tools | Users

This step is not configurable in our version 6.7.1.xxxx, it's correct?

Can anyone help us?

Thanks

-cmb

  • Hi Carmine,

    To add a certificate user, login via the Safeguard Desktop client to the Primary appliance:
    - Navigate to Administrative Tools | Users.
    - In Users, click + Add User from the toolbar.
    - In the User dialog, provide information in each of the tabs:

    1. Identity Provider: choose Local > Add user details such as First and last name etc..
    2. Authentication Provider: choose Certificate > Add Certificate Thumbprint (40 hexadecimal characters) from the .PFX certificate that you created. You can copy and paste the Thumbprint value directly from the certificate, including the spaces.
    3. Location: choose time zone
    4. Permissions: none are needed here.

    Then under the External Integration > Application to Application > edit your existing registration and select the Certificate user that was created above.

    Reference for adding users:
    support.oneidentity.com/.../93

    Reference for A2A:
    support.oneidentity.com/.../89

    Once the above is configured, test with the Certificate path in double quotes and the API Key between single quotes, for example:
    Get-SafeguardA2aPassword -Appliance xxx.xxx.xxx.xxx -Insecure -CertificateFile "C:\Users\dog\Desktop\combined.pfx" -ApiKey 'k/Eg9qjSn+VQdg3E1K09+eFASGh4OcPI2+B9AhHKfnY='

    Thanks!