Word of warning to those of you upgrading to NAM 5.1. I upgraded a NAM 5.0.4 environment today and after upgrading my IdP wouldn't turn "green". I was getting a warning about one of the certs in the trust store:
X509 Certificate Validation Root Exception: com.novell.nidp.NIDPException: Error processing certificate validations
Looking in the catalina.out, I was seeing errors like this:
javax.naming.InvalidNameException: Invalid name: CRL_1,CRL_1 - Configuration.CRL Container.Security
The IdP was completely non-functional. If I tried to access ANY AG protected resource, I'd get a 300101050 error from the IdP.
I tried re-pushing certificates to no avail. So I turned up debug logging, and I saw the IdP trying to make some really odd LDAP connections. This site is using eDirectory as a user store. The LDAP URIs the server was trying to connect to were in that user store, but they were the cleartext (389) LDAP port, which we don't allow, and the server's short name, which wouldn't resolve. I couldn't figure out where the heck it was coming from.
Well, it turns out for one of the SAML SPs, I used a certificate minted from the the eDir CA for SAML signing. I guess NAM 5.1 is more aggressive about OCSP/CRL checking now because that is what it was trying to do, connect to the LDAP URIs defined in the CRL Distribution Points in the eDirectory CA, which of course were not reachable.
I just disabled OCSP/CRL checking in tomcat.conf:
JAVA_OPTS="${JAVA_OPTS} -Dcom.novell.nidp.serverOCSPCRL=false"
And restarted the IdP and everything started working.
Never seen that behavior before (I've certainly had to disable OCSP/CRL before, but not due to this).
I am a bit surprised though that they have not added the ability to disable OCSP/CRL checking in the admin interface already!
Matt