Identity Console 1.80 - None-Doker : Error reading PKCS#12 file

a new fresh IC-installation generate a Error. See the Log below in red.

The Server-Certificate is create fine in the Tree with the name "mycert" and the password was simple set to "password12345"

identityconsole_install.log

…..

….

ANNEX 2, SPECIFIC SOFTWARE TERMS

 

Staging License.  Provided that Licensee is in compliance with the terms of this Agreement, Licensee is authorized to use the Licensed Software in Licensee’s internal, non-production environment solely for testing purposes in a quantity equal to that of Licensee’s User commercial licenses.

 

Evaluation Software.  If the Licensed Software is an evaluation version or is provided to Licensee for evaluation purposes, then, unless otherwise approved in writing by an authorized representative of Licensor, Licensee’s license to use the Licensed Software is limited solely for internal evaluation purposes in non-production use and in accordance with the terms of the evaluation offering under which Licensee received the Licensed Software, and expires 90 days from installation (or such other period as may be indicated within the Licensed Software).  Upon expiration of the evaluation period, Licensee must discontinue use of the Licensed Software, return to an original state any actions performed by the Licensed Software, and delete the Licensed Software entirely from Licensee’s system and Licensee may not download the Licensed Software again unless approved in writing by an authorized representative of Licensor.  The Licensed Software may contain an automatic disabling mechanism that prevents its use after a certain period of time.

 

(09102019)

 

 

Do you accept the terms and conditions of the license agreement?:[y/n/q] [INFO] No existing identityconsole installation found.

[INFO] Installed required rpms.

[WARNING] Found existing eDirectory installation. Installing only identityconsole rpms.

warning: ./packages/edirapi-1.8.0.0000.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID e08e4762: NOKEY

Preparing...                          ########################################

Updating / installing...

edirapi-1.8.0.0000-0                  ########################################

warning: ./packages/identityconsole-1.8.0.0000.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID e08e4762: NOKEY

Preparing...                          ########################################

Updating / installing...

identityconsole-1.8.0.0000-0          ########################################

Created symlink /etc/systemd/system/multi-user.target.wants/netiq-identityconsole.service → /usr/lib/systemd/system/netiq-identityconsole.service.

[INFO] Installed rpms successfully.

[INFO] Identityconsole installation successful.

[INFO] Adding nds group and user if they do not exist.

groupadd: group 'nds' already exists

useradd: user 'nds' already exists

Enter the Identity Console server hostname/IP address[10.1.224.196]:

Enter the port number you wish for identityconsole to listen on[9000]:

Enter the eDirectory server hostname(s) or ip address(s) to which you want to allow identity console to connect to (Ex: 10.10.10.10:636)[]: 10.1.224.196:636

[WARNING] Multi tree login is not supported with OSP. Only one eDirectory tree can be connected if configured with OSP.

Do you want to integrate OSP with identityconsole:[y/n/q] Do you want to import the CA certificate from server?

[WARNING] This step involves importing the certificate from the server, requiring user trust in the certificate. Are you sure you want to import the CA certificate from the server?:[y/n/q]

Enter the eDirectory server Domain name/IP address with LDAPS port number[10.1.224.196:636]:

[INFO] Trusted root certificate(s) copied successfully from server to "/tmp/SScert.pem"

 

[INFO] CA certificate copied Successfully.

Do you want to generate the Server Certificate?:[y/n/q] Enter the eDirectory server Domain name/IP address with LDAPS port number[10.1.224.196:636]:

Enter the eDirectory username[cn=admin,ou=sa,o=system]: cn=admin,ou=xxxxxx,o=xxxxxx

Enter the eDirectory user password:

Re-enter the eDirectory user password:

Enter the Server Certificate name[cert]: mycert

Enter the server certificate password:

Re-enter the server certificate password:

Error reading PKCS#12 file

139878726301344:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:

err = -1

[ERROR] Wrong server certificate password. Exiting.

svrlldapt71:/tmp/IdentityConsole_180_Linux #

  • 0

    Possibly this problem:

    https://community.microfocus.com/cyberres/iga/edirectory/f/discussions/529532/identity-console-1-8---installer-bug

    Only difference: I entered "no" for "Do you want to generate the Server Certificate?"

    You can try this:

    /usr/bin/identityconsoleUninstall
    
    md /etc/opt/novell/eDirAPI/cert/
    touch /etc/opt/novell/eDirAPI/cert/keys.pfx
    chown -R nds:nds /etc/opt/novell/eDirAPI/
    

    Then reinstall Identity Console. If this workaround does not work for you, you might try to export the pfx from eDirectory and then don't generate the certificate but import.

  • 0 in reply to 

    I saw your post before I posted my problem.
    The cert directories and nds owner are already correct.

    Our envoirement is:
    eDirectory 9.2.9
    Identity Manager Engine 4.9.0

  • 0 in reply to 

    Hi,

    after installation i see follow errors in the /var/opt/novell/eDirAPI/log/edirapi.log when i try to start the service
    systemctl restart netiq-identityconsole.service;

    svrlldapt71:/tmp/IdentityConsole_180_Linux # systemctl status netiq-identityconsole.service;
    × netiq-identityconsole.service - Identity Console service
    Loaded: loaded (/usr/lib/systemd/system/netiq-identityconsole.service; enabled; vendor preset: disabled)
    Active: failed (Result: exit-code) since Thu 2024-09-12 12:19:14 CEST; 7s ago
    Process: 8263 ExecStart=/opt/novell/eDirAPI/sbin/edirapi -config /etc/opt/novell/eDirAPI/conf/edirapi.conf (code=exited, status=1/FAILURE)
    Main PID: 8263 (code=exited, status=1/FAILURE)

    Sep 12 12:19:14 svrlldapt71 systemd[1]: Started Identity Console service.
    Sep 12 12:19:14 svrlldapt71 systemd[1]: netiq-identityconsole.service: Main process exited, code=exited, status=1/FAILURE
    Sep 12 12:19:14 svrlldapt71 systemd[1]: netiq-identityconsole.service: Failed with result 'exit-code'.

    svrlldapt71:/tmp/IdentityConsole_180_Linux # tail -f /var/opt/novell/eDirAPI/log/edirapi.log
    {"level":"fatal","msg":"open key.pem: no such file or directory","time":"Thursday, 12-Sep-24 12:17:52 CEST"}
    {"level":"fatal","msg":"open key.pem: no such file or directory","time":"Thursday, 12-Sep-24 12:19:14 CEST"}
    {"level":"fatal","msg":"open key.pem: no such file or directory","time":"Thursday, 12-Sep-24 12:19:59 CEST"}

    Which file is meant here?
    I only find the following cert files.
    A key.pem file does not exists in the cert-directory


    svrlldapt71:/tmp/IdentityConsole_180_Linux # cd /etc/opt/novell/eDirAPI/cert/
    svrlldapt71:/etc/opt/novell/eDirAPI/cert # ll
    total 16
    -rw-r--r-- 1 nds nds 1846 Sep 12 12:16 SSCert.pem
    -rw-r--r-- 1 root root 1395 Sep 12 12:16 SSECCert.pem
    -rw-r--r-- 1 nds nds 4766 Sep 12 12:17 keys.pfx
    svrlldapt71:/etc/opt/novell/eDirAPI/cert #

  • 0   in reply to 

    During the Identity Console installation, a utility called nlpcert is run against the keys.pfx and a cert.pem file is created.  I think the log is meaning the the cert.pem since that would be needed to start Identity Console.  You can try running the nlpcert command manually which is run by /usr/bin/idenityconsoleConfigure.sh: su nds -s /bin/bash -c "LD_LIBRARY_PATH=/opt/novell/lib64/:/opt/novell/eDirectory/lib64/:/opt/netiq/common/openssl/lib64/ /opt/novell/eDirAPI/sbin/nlpcert -i /etc/opt/novell/eDirAPI/cert/keys.pfx -p '<cert pwd>' -o /etc/opt/novell/eDirAPI/conf/ssl/private/cert.pem"

    This may reveal the reason the pem files can't be found and/or fix the issue.

    An issue which can occur preventing the keys.pfx from functioning correctly is the failure of nici for the nds user to initialize.  When nici initializes for the nds user, a directory with the uid # of the nds user is created under /var/opt/novell/nici   A possible reason why nici can't initialize as a non root user is the directory structure is mounted nosuid.  nicimud64 has a suid bit to allow non root users to initialize nici

  • 0 in reply to   

    thanks for the information.
    I checked the suggested settings and also made them.
    All suggested settings are there but the service doesn't start.
    Attached are the actions I performed with root or with nds

    svrlldapt71:/etc/opt/novell/eDirAPI/conf/ssl/private # su nds -s /bin/bash -c "LD_LIBRARY_PATH=/opt/novell/lib64/:/opt/novell/eDirectory/lib64/:/opt/netiq/common/openssl/lib64/ /opt/novell/eDirAPI/sbin/nlpcert -i /etc/opt/novell/eDirAPI/cert/keys.pfx -p 'password' -o /etc/opt/novell/eDirAPI/conf/ssl/private/cert.pem"
    svrlldapt71:/etc/opt/novell/eDirAPI/conf/ssl/private #

    svrlldapt71:/var/opt/novell/nici # su nds
    nds@svrlldapt71:/var/opt/novell/nici> id
    uid=150(nds) gid=476(nds) groups=476(nds)

    svrlldapt71:/var/opt/novell/nici # ll
    total 224
    drwx------ 3 root root 97 Feb 14 2024 0
    drwx------ 3 nds nds 97 Aug 29 16:38 150
    -rw-r--r-- 1 root root 13440 Feb 14 2024 nicifk
    -rw-r--r-- 1 root root 13440 Feb 14 2024 nicifk.new
    -rw-r--r-- 1 root root 13440 Mar 2 2023 nicifk64.new
    -rwsr-xr-x 1 root root 16760 Mar 2 2023 nicimud64
    -rwx------ 1 root root 124280 Mar 2 2023 primenici64
    -r-x------ 1 root root 2969 Mar 2 2023 set_server_mode64
    -rw-r--r-- 1 root root 1951 Feb 14 2024 xarchive.000
    -rw-r--r-- 1 root root 14433 Feb 14 2024 xmgrcfg.nif
    -rw-r--r-- 1 root root 3853 Feb 14 2024 xmgrcfg.wks
    -rw-r--r-- 1 root root 3853 Mar 2 2023 xmgrcfg64.wks

    svrlldapt71:/var/opt/novell/nici/150 # su nds
    nds@svrlldapt71:/var/opt/novell/nici/150> ll
    total 28
    drwx------ 2 nds nds 136 Aug 29 16:38 backup
    -rw-r--r-- 1 nds nds 1996 Oct 3 12:24 edirsec.cfg
    -rw-r--r-- 1 nds nds 362 Aug 29 16:38 xarchive.001
    -rw-r--r-- 1 nds nds 14577 Aug 29 16:38 xmgrcfg.ks2
    -rw-r--r-- 1 nds nds 268 Oct 3 12:24 xmgrcfg.ks3

  • 0 in reply to 

    we found the error.
    The problem was that during installation an attempt was made to create a /home/nds directory (if it did not exist).

    Because our home directories are centrally mounted and therefore /home/nds is available on every server where the IC is installed and the installation script did not have to create a new /home/nds, the installation was actually carried out without errors.

    Unfortunately, the owner uid number of /home/nds does not match the uid number of the configured nds account in the /etc/passwd of the local server where IC is installed. That's why the service wasn't started because the local nds account had no rights to /home/nds (different uid number directory owner/account uid number)

    solution:

    1. we first define a local nds account in /etc/passwd with a globally valid uid number (13500)

    2. we define an entry in /etc/group with gid number=13500

    3. we create a local user home directory under /opt/novell/nds and make uid number 13500 the owner.
    4. then we install the IC using the installation script
    5. adjust the /usr/lib/systemd/system/netiq-identityconsole.service with: WorkingDirectory=/opt/novell/nds

    with this solution we can install the IC on multiple servers because the WorkingDirectory is no longer /home/nds which is on a mounted NFS share