UserApp Cert Error - Initial Role Assignment

The cert that our UserApp site was using expired so we had to renew. Now that we have new cert there, our calls from eDir server to UserApp are failing with this error, this is where we assign the initial Role which contains AD and Exchange, so we are having a bunch of accounts created but no AD and Exchange, which is obviously a huge deal. Can anyone advise on what we need to do, this is impacting our PROD environment for new users.

Thanks!
Casey

DirXML Log Event -------------------
Driver: \TEST\system\Driver Set\User Processor
Channel: Subscriber
Status: Error
Message: Code(-9205) Error in vnd.nds.stream://TEST/system/Driver Set/User Processor/Subscriber/sub-etp-InitialRoleAssignment#XmlData:45 : Couldn't request assignment of role: 'CN=Students,CN=Level30,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=Driver Set,O=system' to identity: 'CN=TTESTING,OU=users,O=data': com.novell.nds.dirxml.soap.UserAppClientException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • On 6/20/2018 5:14 PM, cosborne wrote:
    >
    > The cert that our UserApp site was using expired so we had to renew. Now
    > that we have new cert there, our calls from eDir server to UserApp are
    > failing with this error, this is where we assign the initial Role which
    > contains AD and Exchange, so we are having a bunch of accounts created
    > but no AD and Exchange, which is obviously a huge deal. Can anyone
    > advise on what we need to do, this is impacting our PROD environment for
    > new users.



    The engines JVM that IDM uses is in:
    /opt/novell/eDirectory/lib64/nds-modules/jre

    In 4.7 that is a symlink to /opt/netiq/common/jre which is nice.

    Get the certs' signers public key. Is it commercial? if so, you should
    have it from when you imported the cert. Regardless, go to the UA, in
    any browser, click on the lock/security icony thingy near the titley
    bar-y thingy. (There are probably real names for all those '-y things
    but I do not care).

    View details, view certificate, etc. Find the certification chain. For
    each node, export the public key to a file. B64 or binary does not
    really matterm B64 might be eaiser.

    Copy the files to your engine server.

    /opt/novell/eDirectory/lib64/nds-modules/jre/bin/keytool -keystore
    /opt/novell/eDirectory/lib64/nds-modules/jre/lib/cacerts -storepass
    changeit -import -alias UA-Cert -trustcacerts -file /path/to/file

    Use the keytool in the bin directory of the JRE, specify the -keystore
    which is in the lib/security/cacerts under the JRE, then issue the
    command -import, then ask it to be flag as trusted with -trustcacerts,
    give it a nickname with -alias nickname, and then specify the file to be
    imported.

    Prove it worked:
    /opt/novell/eDirectory/lib64/nds-modules/jre/bin/keytool -keystore
    /opt/novell/eDirectory/lib64/nds-modules/jre/lib/cacerts -storepass
    changeit -list -v | less

    Find your alias/cert in the list.

    If you have a chain of certs import them all, changing -alias and -file
    values to match.



    Restart eDir on that box.


    > Thanks!
    > Casey
    >
    > DirXML Log Event -------------------
    > Driver: \TEST\system\Driver Set\User Processor
    > Channel: Subscriber
    > Status: Error
    > Message: Code(-9205) Error in
    > vnd.nds.stream://TEST/system/Driver Set/User Processor/Subscriber/sub-etp-InitialRoleAssignment#XmlData:45
    > : Couldn't request assignment of role:
    > 'CN=Students,CN=Level30,CN=RoleDefs,CN=RoleConfig,CN=AppConfig,CN=UserApplication,CN=Driver
    > Set,O=system' to identity: 'CN=TTESTING,OU=users,O=data':
    > com.novell.nds.dirxml.soap.UserAppClientException:
    > java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException:
    > sun.security.validator.ValidatorException: PKIX path building failed:
    > sun.security.provider.certpath.SunCertPathBuilderException: unable to
    > find valid certification path to requested target
    >
    >