DirXML Loader Error : SSL3_GET_SERVER_CERTIFICATE:certificat


Hi

We are using Novell Identity Manager to sync our password between our
different directories ,namely Novell eDirectory and MS Active
Directory.

We noticed that passwords stopped being synced and on the Windows Domain
Controller get the following error.:
Driver:
Thread: Subscriber Channel
Object:
Message: SSL protocol failure: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


Research leads me to believe that its related to the SSL certificate and
that it may have expired.
Unfortunately, I know very little about novell and not sure how to
replace the certificate.

I have also read the article here http://tinyurl.com/psx468a which seems
to be the fix for the issue,but as mentioned I just don't know how to
implement it.

Your assistance is highly appreciated.


Thank you.


--
eugene20022002
------------------------------------------------------------------------
eugene20022002's Profile: https://forums.netiq.com/member.php?userid=10237
View this thread: https://forums.netiq.com/showthread.php?t=54038

  • For most drivers like microsoft active directory (MAD) you can just go and
    create a new certificate in iManager, then change the driver config's
    Remote Loader line to refer to this new Key Material Object (KMO) by its
    short name, which is the name you give the KMO/certificate when creating
    it in iManager. For example, if you created 'mad-driver' as the name of
    the certificate/KMO, you would modify the Remote Loader configuration line
    within the MAD driver object to have 'kmo='mad-driver' even though the
    full object name within the directory would be 'mad-driver - servernamehere'.

    On the eDirectory driver side, usually you'll want to use Designer to
    recreate the certificates, as it has a nice wizard that works well for
    this. Clear out the 'Authentication ID' fields on both side's drivers,
    then let the wizard create new KMOs and deploy everything for you.

    For now, start with the MAD driver, as that's probably the one to use to
    verify things. It may be worthwhile within iManager to view the
    certificate and be sure expiration is the problem. It could also be
    tightened SSL requirements (see the news in the past couple of years for
    reasons why), or time issues (a box's time is way off, invalidating
    certificates prematurely), etc.

    By default, KMOs are minted for two years, so if it has been two years
    since the drivers were put in, or the certificate at least was created,
    that would make sense supporting certificate expiration, but you can
    clearly see the validity dates looking on the KMO directly (iManager, LDAP
    with anything mildly current, openssl if able to connect to a service
    using the certificate, etc.).

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • Thank you for your quick response.

    Will download designer and take it from there. S


    --
    eugene20022002
    ------------------------------------------------------------------------
    eugene20022002's Profile: https://forums.netiq.com/member.php?userid=10237
    View this thread: https://forums.netiq.com/showthread.php?t=54038


  • Ok I finally managed to install designer and attach the vault but Im
    unable to see the TLS settings.

    I tried Model > eDir-to-eDir > BUT Secure Connection settings are greyed
    out.
    Also tried .. Vault>driverset>eDirectory properties>Driver
    Configurations> Authentication tab ..BUT the TLS button is missing.
    Completely lost now.
    Thanks


    --
    eugene20022002
    ------------------------------------------------------------------------
    eugene20022002's Profile: https://forums.netiq.com/member.php?userid=10237
    View this thread: https://forums.netiq.com/showthread.php?t=54038


  • You don't need Designer for the IDM to AD connection, only iManager.
    Follow this part of the documentation http://tinyurl.com/qew3pjq
    You don't have to do the last part about keystore since you are useing
    the normal Remote Loader, just copy the new certificate to the Remote
    Loader server and in the Remote Loader Console stop the service and edit
    it. there you have a browse button to the certificate.
    You also need to change the KMO text part on the driver properties to
    use the new certificate name, this can be done in Designer or iManager.


    --
    joakim_ganse
    ------------------------------------------------------------------------
    joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
    View this thread: https://forums.netiq.com/showthread.php?t=54038

  • On 08/13/2015 06:14 AM, joakim ganse wrote:
    >
    > You don't need Designer for the IDM to AD connection, only iManager.
    > Follow this part of the documentation http://tinyurl.com/qew3pjq
    > You don't have to do the last part about keystore since you are useing
    > the normal Remote Loader, just copy the new certificate to the Remote


    Just to be clear, the part copied from the engine (exported via iManager)
    to the Remote Loader (RL) system is not the new certificate, but the CA's
    self-signed certificate. As a result, unless the CA itself is also
    recreated (only expires every ten years, by default) there is nothing to
    do here. All that is needed is to create a new KMO (or maybe better yet,
    delete and recreate the current KMO) and restart the driver object.


    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below...

  • Im making progress..
    Halfway there. It can now sync from AD to eDirectory but not vice versa.

    What I have done now is.. export the certificate cert.b64 and rename it
    to cert.pem restart the remote loader and now get the original error.

    Any suggestions?


    --
    eugene20022002
    ------------------------------------------------------------------------
    eugene20022002's Profile: https://forums.netiq.com/member.php?userid=10237
    View this thread: https://forums.netiq.com/showthread.php?t=54038


  • ab;259789 Wrote:
    > On 08/13/2015 06:14 AM, joakim ganse wrote:
    > >
    > > You don't need Designer for the IDM to AD connection, only iManager.
    > > Follow this part of the documentation http://tinyurl.com/qew3pjq
    > > You don't have to do the last part about keystore since you are

    > useing
    > > the normal Remote Loader, just copy the new certificate to the Remote

    >
    > Just to be clear, the part copied from the engine (exported via
    > iManager)
    > to the Remote Loader (RL) system is not the new certificate, but the
    > CA's
    > self-signed certificate. As a result, unless the CA itself is also
    > recreated (only expires every ten years, by default) there is nothing
    > to
    > do here. All that is needed is to create a new KMO (or maybe better
    > yet,
    > delete and recreate the current KMO) and restart the driver object.
    >
    >
    > --
    > Good luck.
    >
    > If you find this post helpful and are logged into the web interface,
    > show your appreciation and click on the star below...


    Thanks for your assistance. I re-exported the CA cert and let the remote
    loader use that. Im not getting any errors and everything looks fine but
    thiings or still not syncing from AD to eDirectory.
    Where can I even look for errors or logs to try and trace where the
    issue could be and where its failing?


    --
    eugene20022002
    ------------------------------------------------------------------------
    eugene20022002's Profile: https://forums.netiq.com/member.php?userid=10237
    View this thread: https://forums.netiq.com/showthread.php?t=54038


  • eugene20022002;259799 Wrote:
    > Thanks for your assistance. I re-exported the CA cert and let the remote
    > loader use that. Im not getting any errors and everything looks fine but
    > thiings or still not syncing from AD to eDirectory.
    > Where can I even look for errors or logs to try and trace where the
    > issue could be and where its failing?


    when I tested initially I found the duplicate password error in our
    splunk..

    Thank you again for all your assistance guys.


    --
    eugene20022002
    ------------------------------------------------------------------------
    eugene20022002's Profile: https://forums.netiq.com/member.php?userid=10237
    View this thread: https://forums.netiq.com/showthread.php?t=54038