Error (5) accepting SSL connection

Hi There,

I am using PAM3.5 and AM 4.4 where my pam is installed on a centos machine.

Now I have configured my PAM inside AM but when I'm launching my SSH java file from PAM console. It is showing me the following error in unifid.log.

URL:https://pam.ciit.in/pam/?sso=1

Thu Apr 25 15:07:36 2019, 811, 1148057344, 15060, Info, SSL_accept: error syscall 0
Thu Apr 25 15:07:36 2019, 811, 1173063424, 15060, Info, Error (5) accepting SSL connection from 192.168.1.237
Thu Apr 25 15:07:36 2019, 811, 1173063424, 15060, Info, SSL_accept: error syscall 0
Thu Apr 25 15:07:37 2019, 887, 1173063424, 15060, Warning, Peer certificate [CN = nri-tz-arclog] has expired:
Wed Oct 17 07:55:36 2018
Thu Apr 25 15:07:37 2019, 887, 1173063424, 15060, Warning, Peer certificate [CN = nri-tz-arclog] has expired:
Wed Oct 17 07:55:36 2018
Thu Apr 25 15:07:37 2019, 891, 1173063424, 15060, Error, Peer verification error for nri-tz-arclog(192.168.1.2
35) accessing registry.modQuery unable to get local issuer certificate
Thu Apr 25 15:07:37 2019, 898, 1173063424, 15060, Warning, Invalid peer certificate unable to verify the first c
ertificate
Thu Apr 25 15:07:37 2019, 900, 1173063424, 15060, Error, No service registration record for nri-tz-arclog:gUSrRXEV2/rryCngNJdOdLC8pQ0=<192.168.1.235>


- How do I put AM cert inside PAM

Please help me out, guys.
  • On 25.04.19 12:36, aitcrajesh wrote:
    >
    > Hi There,
    >
    > I am using PAM3.5 and AM 4.4 where my pam is installed on a centos
    > machine.
    >
    > Now I have configured my PAM inside AM but when I'm launching my SSH
    > java file from PAM console. It is showing me the following error in
    > unifid.log.
    >
    > URL:https://pam.ciit.in/pam/?sso=1
    >
    >
    > Code:
    > --------------------
    > Thu Apr 25 15:07:36 2019, 811, 1148057344, 15060, Info, SSL_accept: error syscall 0
    > Thu Apr 25 15:07:36 2019, 811, 1173063424, 15060, Info, Error (5) accepting SSL connection from 192.168.1.237
    > Thu Apr 25 15:07:36 2019, 811, 1173063424, 15060, Info, SSL_accept: error syscall 0
    > Thu Apr 25 15:07:37 2019, 887, 1173063424, 15060, Warning, Peer certificate [CN = nri-tz-arclog] has expired:
    > Wed Oct 17 07:55:36 2018
    > Thu Apr 25 15:07:37 2019, 887, 1173063424, 15060, Warning, Peer certificate [CN = nri-tz-arclog] has expired:
    > Wed Oct 17 07:55:36 2018
    > Thu Apr 25 15:07:37 2019, 891, 1173063424, 15060, Error, Peer verification error for nri-tz-arclog(192.168.1.2
    > 35) accessing registry.modQuery unable to get local issuer certificate
    > Thu Apr 25 15:07:37 2019, 898, 1173063424, 15060, Warning, Invalid peer certificate unable to verify the first c
    > ertificate
    > Thu Apr 25 15:07:37 2019, 900, 1173063424, 15060, Error, No service registration record for nri-tz-arclog:gUSrRXEV2/rryCngNJdOdLC8pQ0=<192.168.1.235>
    > --------------------
    >
    >
    > - How do I put AM cert inside PAM
    >
    > Please help me out, guys.
    >
    >


    You'd get more info from the client.log:

    Modify /opt/netiq/pam/config/config.xml:

    <Unifi db_sync="1" service_name="npum">
    <Log level="info" file="logs/unifid.log" max_size="10"/>
    <ClientLog level="debug" file="logs/client.log" max_size="10"/>
    <Worker min="5" smax="20" hmax="60" ttl="60" stacksize="1048576"
    guardsize="0"/>
    <Handler base="service/local">
    <Engine type="dso" lib="spf_dso"/>
    <Engine type="perl" lib="spf_perl"/>
    </Handler>
    <SSL b.changed="1" i.reneg_dos_protection="0"/>
    </Unifi>


    Then have a look at the client.log and it will probably give you more
    information about what it going wrong.



    Casper
  • I suspect that the "nri-tz-arclog" Agent has fallen out of registration with the PAM Manager. Please verify registration, see if Agent appears in Hosts Console, if it is found to be offline, etc. Try re-registering the Agent with the same name, etc. to Manager.

    If there is trouble in registering the Agent, then the following resource should help:
    https://support.microfocus.com/kb/doc.php?id=7017967
  • tdharris;2499016 wrote:
    I suspect that the "nri-tz-arclog" Agent has fallen out of registration with the PAM Manager. Please verify registration, see if Agent appears in Hosts Console, if it is found to be offline, etc. Try re-registering the Agent with the same name, etc. to Manager.

    If there is trouble in registering the Agent, then the following resource should help:
    https://support.microfocus.com/kb/doc.php?id=7017967


    Hi tdharris,

    We have configured SSH/telnet from credential vault. We have not installed any PAM agent on it.

    Note: We have done Access Manager SSO in this. Is that the cause because when I'm launching SSH/telnet from PAM/myaccess itis working but when launching from SSH/telnet from PAM/myaccess via access manager SSO then it is shows me error for unable to launch.
  • Then as cpedersen suggested, enabling the client log may help identify an issue in the connection:
    https://support.microfocus.com/kb/doc.php?id=7021106
  • On 30.04.19 23:54, tdharris wrote:
    >
    > Then as cpedersen suggested, enabling the client log may help identify
    > an issue in the connection:
    > https://support.microfocus.com/kb/doc.php?id=7021106
    >
    >


    Hi Tyler,

    Thanks for the link to the TID.


    Casper