This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kamilazat
Advisor
‎2025-11-12 02:44 AM

DynamicID with SMS OTP

Hi everyone!

We have an issue with DynamicID and SMS provider certificates with the error message "DynamicID sending failure. To retry, please type r and select Submit". Here’s the setup:

  • R81.20 JHF Take 118
  • Cluster
  • Mobile Access with DynamicID + SMS OTP (user information like phone numbers are on CP database, not LDAP)

We have the same setup both on prod and in a test lab. The configs are exactly the same. The test lab is working but the prod seems to have an issue with certificates.

In iked1.log file we see these lines:

[iked1 13483 4066513344]@Hostname[11 Nov 10:36:59][AsyncCurl] set_params_for_callback - Warning: (0x9bc3778) finished with result code (-3) - (SSL certificate problem: unable to get issuer certificate)
[iked1 13483 4066513344]@Hostname[11 Nov 10:36:59][AU] DynamicIDSession::setState new_state -103 client_code 60 server_code 0 log_msg SSL certificate problem: unable to get issuer certificate
[iked1 13483 4066513344]@Hostname[11 Nov 10:36:59][AU] dynamic_id_manager_callback(au=9ba9728): ePRIVATE_DID_SENDING_ERROR 
[iked1 13483 4066513344]@Hostname[11 Nov 10:36:59][CPSC] cpsc_get_msg_by_id: Cache HIT for CPSC_DID_SENDING_ERROR

And also all the other symptoms that are given in sk182705. But somehow the provided solution of adding the certificate on SmartDashboard doesn’t resolve the issue.

We also tried running $CVPNDIR/bin/rehash_ca_bundle after placing the certificate in $FWDIR/database/ as specified in the Mobile Access Admin Guide (bottom of the page), to no avail.

We have temporarily did a workaround of replacing the "SmsWebClientProcArgs" value with ("-k") in the $CVPNDIR/conf/cvpnd.C file so that it doesn’t check for the certificate. To whomever who’s not familiar with it, the original value was (“--capath $CVPNDIR/var/ssl/ca-bundle/”), which means that the connections with the SMS provider need to be cert checked. Although this is a workaround, using -k to ignore certificate verification is not good practice, so we want to resolve it.

We already have double checked all the settings and the SMS provider info syntax on SmartConsole. Plus, everything works as expected in the lab.

Can anybody point me towards where I’m obviously not looking?

Cheers, Kamil

0 Kudos
2 Replies
ShemHunter
Contributor
‎2025-11-12 06:05 AM

Hi kamilazat!

Maybe the sk data can help you, but I can't confirm it - sk111630 and sk121101

 

0 Kudos
kamilazat
Advisor
‎2025-11-12 06:21 AM
In response to ShemHunter

Well that doesn't really help me because once we changed the SmsWebClientProcArgs value to -k it starts working. Maybe we should change --capath from $CVPNDIR/var/ssl/ca-bundle/ to $FWDIR/database/ but I believe it's dangerous.

 

0 Kudos
Upcoming Events

    CheckMates Events