Support Center > Search Results > SecureKnowledge Details
Identity Agent on Mac OS X does not connect automatically on start-up
Symptoms
  • Identity Agent on Mac OS X does not connect automatically on start-up.

  • If the Identity Agent is closed and opened again, it connects correctly.

  • IdentityAgent.log file under debug shows an SSL error:
    [HH:MM DD/MM/YYY]/ssl_cb (CCC:N) ssl_cb: called where ... ret ...
    [HH:MM DD/MM/YYY]/ssl_cb (CCC:N) SSL3 alert write:fatal:bad certificate
    [HH:MM DD/MM/YYY]/ssl_cb (CCC:N) ssl_cb: called where ... ret -1
    [HH:MM DD/MM/YYY]/ssl_cb (CCC:N) SSL_connect:error in SSLv3 read server certificate B
    [HH:MM DD/MM/YYY]/ssl_connect (CCC:N) SSL_connect: error:00000001:lib(0):func(0):reason(1) ccc->error 331
    [HH:MM DD/MM/YYY]/ccc_nac_iter (CCC:N) ccc_nac_iter: SSL connect failed
    [HH:MM DD/MM/YYY]/-[Engine iterate] (Engine.mm:N) ccc_nac_iter failed SSL error - the root CA is not trusted for the given purpose (331)
    [HH:MM DD/MM/YYY]/-[Engine disconnect] (Engine.mm:N) Called
    [HH:MM DD/MM/YYY]/-[Engine disconnect] (Engine.mm:N) ccc_nac_logout failed missing session_id
    
Solution

This is an expected behavior.

In order to configure the Identity Agent to connect automatically on start-up, you need to configure the SSO for Identity Agent. Refer to Identity Awareness Administration Guide (R75, R75.20, R75.40, R75.40VS, R76, R77).

 

If Kerberos is not used, then contact Check Point Support to get a Hotfix for this issue. A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix. For faster resolution and verification please collect CPinfo files from the Security Management and Security Gateways involved in the case.

Code was improved: By design, if the auto connect does not work / fails, a reconnect procedure will be executed in 30 seconds. The reconnect logic was changed to be identical to auto connect logic.

Hotfix consists of two parts:

  • Hotfix for Identity Awareness Gateway
  • Improved Identity Agent for Mac OS X

 

Related solutions:

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
This solution is about products that are no longer supported and it will not be updated
Applies To:
  • 01523753
  • 01524611

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment