NAM Open Lab 3: Configuring Identity Server, LDAP User Store, Device Manager



In this Open Lab we will configure the Identity Server, the LDAP user store, and the Device Manager (iManager embedded eDirectory).

This Open Lab builds on the configured NAM_all_in_one (see previous Open Labs 1 and 2).

NAM Open Lab, Part1

NAM Open Lab, Part 2

What You Need

A configured NAM_all_in_one (see previous Open Labs 1 and 2)


1. Go to the NAM_all_in_one virtual machine.

2. If you have not already done so, adapt the /etc/hosts file on the host and guest to contain the dns names of the systems in use, as follows:  		localhost NAMbox1 core (optional)

3. Open a browser and go to:

Devicemanager (a dedicated version of iManager) should come up. It will automatically redirect to

The SSLVPN should be green. The Access Gateway should turn green after a few minutes, and the Identity Server will be red because it is not configured yet.

Figure 1 - Access Manager status lights

4. Click Identity Servers > Setup > New.

5. Set the Name as "utopia-IDPa".

6. Set the Base URL to "".

7. Click Next.

8. Specify the Organization (mandatory, but for reference only).

9. Set both the Name and the Display Name to "utopia-IDPa".

10. Set the URL to "".

11. Specify the initial User Store. If you have enough hardware, you can use the Identity Vault of the Utopia system. If you prefer to keep it slim, then you can use the embedded eDirectory of Novell Access Manager.

Name: Embedded user store
Admin name: cn=admin,o=novell
Admin password: novell
Confirm pw: novell
Directory Type: eDirectory

12. Specify the server replicas:

Name: Utopia User Store
IP Address:
Check: Use Secure LDAP connections

Figure 2 - Server replica information

13. Select "Auto import trusted root" and click OK.

14. Name it Utopia_LDAP_troot and click OK twice.

15. Specify the search contexts:

Search context: o=novell
Scope: Subtree

16. Click Finish.

17. Go to the Servers tab.

18. Specify and select Actions > Assign to configuration.

19. In the next screen, select "utopia-IDPA".

Figure 3 - Selecting the utopia-IDPA server

20. Click Assign.

Figure 3a - Assigning the utopia-IDPA server to the configuration


1. From a terminal connection to, stop Tomcat. Or, you can first open a separate terminal to trace Tomcat by running "tail -f /var/opt/novell/tomcat4/logs/catalina.out" at that terminal.

NAMbox1:~ # /etc/init.d/novell-tomcat4 stop
Stopping tomcat4: Using CATALINA_BASE: /var/opt/novell/tomcat4
Using CATALINA_HOME: /var/opt/novell/tomcat4
Using CATALINA_TMPDIR: /var/opt/novell/tomcat4/temp
Using JAVA_HOME: /opt/novell/java

waiting for processes to exit
NAMbox1:~ # /etc/init.d/novell-tomcat4 stop
Stopping tomcat4: /etc/init.d/novell-tomcat4: line 143: success: command not found

2. Verify whether there were any errors while stopping Tomcat:

cat /var/opt/novell/tomcat4/logs/catalina.out

Errors may be ignored, because the configuration was not done yet.

3. If catalina.out reports "Device Manager license manager stopped", then restart Tomcat:

/etc/init.d/novell-tomcat4 start
Starting tomcat4: Using CATALINA_BASE: /var/opt/novell/tomcat4
Using CATALINA_HOME: /var/opt/novell/tomcat4
Using CATALINA_TMPDIR: /var/opt/novell/tomcat4/temp
Using JAVA_HOME: /opt/novell/java

4.. Verify whether there were any errors while starting Tomcat:

cat /var/opt/novell/tomcat4/logs/catalina.out

I always see the following error; it might have to do with the fact that we run everything on one box, and that is not supported:

ServerLifecycleListener: createMBeans: Throwable Catalina:type=Connector,service=Tomcat-Standalone,port=0,address=null

5. Verify your Access Manager status by going to the Device Manager console and selecting Access Manager > Overview. The Identity Server should be green.

6. Test the IDP by checking the IDP login: browse to "".

Figure 4 - Testing the IDP

You should be able to log in with any user from the users' container in Utopia
(e.g.: ablake / novell). What you see is the so-called "user application" of Access Manager.

Figure 5 - Access Manager "user application"

Note that the admin user is in o=system, and that is out of the search scope that we defined.

7. Check the IDP's metadata by browsing to "". You should see an XML blob that is the IDP's metadata.

Figure 6 - Checking the IDP metadata


Problem 1: Unable to complete request at this time. Cause/Code: 300101037

If this condition persists, please contact your network administrator.

Figure 7 - Error: Unable to complete request

Solution: Slow down, close the browser, wait a moment, and try again.

Problem 2: The Identity Server does turn green.

Solution: Click on the red cross and check the error.

Figure 8 - Checking the error

In this example we used the Utopia user store, but there seems to be an error in the communication.

Figure 9 - Communication error

a) Using an LDAP browser, can you login to the eDirectory that runs on the Utopia VM?

Figure 10 - Checking eDirectory login for Utopia VM

b) Check the IDP configuration: did you make any typos?

c) Go to Identity servers > Utopia-IDPa > Local tab > Utopia User Store > Check IP addresses, ports. Did you import the trusted root certificate, and are the admin user, his context, and his password OK?

d) Set up tracing on eDirectory (see previous lab) and find the error message.

Problem 3: The Identity Server may not be current. The status says "Update Servers".

Figure 11 - Identity Server is not current

When the Identity Server is up to date, the status will say "Current," and the text will not be clickable.

Figure 12 - Identity Server is current


How To-Best Practice
Comment List
  • When you are installing a fresh SLES, don't use the update during the setup.

    During the update (if new kernel exist) the server reboot and you are asked to create the SLES CA (password is missing).
    After that, you can't install the NAM console, because the LDAPS isn't up and running, and the setup stops.