/tmp/idm_install/SSL CertificateDNS_server.ks

Hi there,

I am doing a new install of user application to RHEL 7 with install.sh followed by configure.sh and it always fails to import certificates from the identity vault to the the tomcat.ks (idm.ks and osp.ks seem to go fine though). I can use my own keystore but errors in the install are not tolerable. I would appreciate any hints on how to correct the issue.

I am using a dedicated identity applications server which is RHEL 7 with latest patches.
I am using IDM 4.7 iso image install.sh/configure.sh.
My identity vault is in another server, it is running RHEL 7, eDir 9.1.2, IDM advanced 4.7
Every component is freshly installed and all IDM / other packages are patched to the latest versions.

I tested that connection to identity vault from the userapp server works as these commands give me the certificate chain:


openssl s_client -connect server:636 -showcerts
openssl s_client -connect server:389 -starttls ldap


I checked that /tmp is writable, selinux does not give any denials, directory /tmp/idm_install/ is created during the configure process and contains multiple files made by the installer. It is deleted after install. Maybe I could try disabling selinux but that would be a pity as I've always kept it as an extra security layer in my IDM installations.

Also double checked that the driver set is associated with the server I am using for the LDAP connection and as driver set for the user application drivers. Also the server is working well with Designer, iManager and ldapsearch.

Here is what /var/opt/netiq/idm/log/idmconfigure.log says about it:


2019-03-11 08:18:57 02:00 : Deploying the Identity Applications drivers. It may take a few minutes...
Deploying the Identity Applications drivers. It may take a few minutes...
SPIException in DesignerHeadless -- 0 , Trying again...
Default Server DN --cn=server,ou=servers,o=org
Invalid GCV document on object 'NOVLACOMSET-GCVs-Prompt': Value for 'UAProvAdmin' contains an invalid character.
Unknown internal ID in version lookup: 4.7.0
Unable to read NAT Mappings file
In constructor if com.novell.soa.logging.impl.log4j.Log4jManager
Info: Exiting

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /tmp/idm_install/tomcat.ks -destkeystore /tmp/idm_install/tomcat.ks -deststoretype pkcs12".

NetIQ Identity Manager Command Line Utility
version 4.7.0.0
Copyright (c) 2017 NetIQ Corporation. All Rights Reserved

Logging in using:
host: server.hostmaname/1.2.3.4:636
user: cn=admin,ou=admins,o=org
Using LDAP protocol with SSL
DirXML version is 4.7.0.0.
Driver set CN=driverset,O=org is associated with the server.
Importing keystore /tmp/idm_install/SSL CertificateDNS_server.ks to /tmp/idm_install/tomcat.ks...
keytool error: java.io.FileNotFoundException: /tmp/idm_install/SSL CertificateDNS_server.ks (No such file or directory)
Importing keystore /tmp/idm_install/SSL CertificateDNS_server.ks to /tmp/idm_install/tomcat.ks...
keytool error: java.io.FileNotFoundException: /tmp/idm_install/SSL CertificateDNS_server.ks (No such file or directory)
2019-03-11 08:20:04 02:00 : Import recaptcha public key certificate into keystore.


Connection to identity vault is ok as it says in the /var/opt/netiq/idm/log/idmconfigure.log:


2019-03-11 08:16:15 02:00 : Verifying Identity Vault connection parameters..
Verifying Identity Vault connection parameters..
[INFO]: Connecting to server on port 636...
[INFO]: Successfully connected to the server
2019-03-11 08:16:16 02:00 : Connection successful
Connection successful


Also in the log I can see the creation of /opt/netiq/idm/apps/tomcat/conf/idm.jks and /opt/netiq/idm/apps/osp/osp.jks is a success.

But other errors / warnings in the idmconfigure.log are


2019-03-11 08:18:48 02:00 : Importing ldif file: /tmp/idm_install/ua_ldif/base_containers.ldif
Importing ldif file: /tmp/idm_install/ua_ldif/base_containers.ldif
[INFO]: Connecting to server on port 636...
[INFO]: Successfully connected to the server
[INFO]: Adding entry ...
[INFO]: Successfully updated...
[INFO]: ---
[INFO]: Adding entry ...
[WARNING]: NDS error: syntax violation (-613)
[INFO]: ---
[INFO]: Adding entry ...
[INFO]: Successfully updated...
[INFO]: ---
[INFO]: Adding entry ...
[INFO]: Successfully updated...
[INFO]: ---
[INFO]: Adding entry ...
[INFO]: Successfully updated...
[INFO]: ---
[INFO]: Modifying entry ...
[WARNING]: NDS error: no such entry (-601)
[INFO]: ---
[INFO]: Modifying entry ...
[WARNING]: NDS error: no such entry (-601)
[INFO]: ---
[INFO]: Modifying entry ...
[WARNING]: NDS error: no such entry (-601)
[INFO]: ---
[INFO]: Modifying entry ...
[WARNING]: NDS error: syntax violation (-613)
[INFO]: ---



2019-03-11 08:18:57 02:00 : Deploying the Identity Applications drivers. It may take a few minutes...
Deploying the Identity Applications drivers. It may take a few minutes...
SPIException in DesignerHeadless -- 0 , Trying again...
Default Server DN --cn=server,ou=ou,o=org
Invalid GCV document on object 'NOVLACOMSET-GCVs-Prompt': Value for 'UAProvAdmin' contains an invalid character.
Unknown internal ID in version lookup: 4.7.0
Unable to read NAT Mappings file
In constructor if com.novell.soa.logging.impl.log4j.Log4jManager
Info: Exiting
  • Correction: /opt/netiq/idm/apps/osp/osp.jks only contains the private key and is missing any possible idm certs but do not know if it needs to have them? /opt/netiq/idm/apps/tomcat/conf/idm.jks contains idm certificates as well. By idm certificate i mean identity vault root ca.
  • I disabled selinux just in case but still when I reinstall and configure I get errors about not being able to create SAML trusted root objects. That was not in the install log file. Here is the console output from configure.sh


    Refer log for more information at /var/opt/netiq/idm/log/idmconfigure.log



    ###############################################################

    Configuring : Identity Applications
    Mon Mar 11 10:17:14 EET 2019

    ###############################################################


    Verifying installed components...
    Creating the Identity Manager keystore.
    Importing Identity Vault certificates.
    Updating OSP command line configurations in tomcat setenv file
    Configuring OSP.
    Creating OSP Keystore.
    Modifying Tomcat server.xml
    chmod: cannot access ‘osp-custom-resource.jar’: No such file or directory
    cp: cannot stat ‘/tmp/ospjar/osp-custom-resource.jar’: No such file or directory
    cp: cannot stat ‘/tmp/ospjar/osp-custom-resource.jar’: No such file or directory
    chmod: cannot access ‘osp.war’: No such file or directory
    cp: cannot stat ‘/tmp/ospwar/osp.war’: No such file or directory
    Verifying installed components...

    Initializing Identity Applications configurations
    Importing Identity Vault certificates.
    Importing ldif schema
    Updating Tomcat configuration
    Modifying Tomcat context.xml
    Generating master key
    Deploying the Identity Applications drivers. It may take a few minutes...
    rm: cannot remove ‘/tmp/idm_install/SSL CertificateDNS_server.ks’: No such file or directory
    Creating configurations files
    Unable to create SAML Trusted Root objects.
    Configuring the database. The configuration may take few minutes
    Setting up database users and schema...
    Verifying installed components...
    Importing Identity Vault certificates.

    Merging the default Identity Manager settings with the SSPR configuration
    Importing SSPR LDIF configurations to Identity Vault

  • kuronen wrote:

    >
    > Hi there,
    >
    > I am doing a new install of user application to RHEL 7 with install.sh
    > followed by configure.sh and it always fails to import certificates from
    > the identity vault to the the tomcat.ks (idm.ks and osp.ks seem to go
    > fine though). I can use my own keystore but errors in the install are
    > not tolerable. I would appreciate any hints on how to correct the
    > issue.
    >


    I've seen it on every 4.7 install I have performed so far. Don't have a way to
    work around this.



    --
    If you find this post helpful, and are viewing this using the web, please show
    your appreciation by clicking on the star below
  • Despite my bold statement I had to tolerate it as well. But it's working now so can add that to the list of undocumented oddities.