PUM driver

I am trying to configure for PUM UserGroup (UG) defines a users' membership who get's privileged access on the servers.

Followed configuration is done on iManager:-

Driver module
JAVA : com.netiq.nds.dirxml.driver.pum.PUMDriverShim

Application Authentication

ID: admin
connection information:192.168.1.xxxx


When i trace the log

[12/15/17 19:21:11.631]:pam.log ST:PUM Driver: PUMInterface.OpenPUMConnection(): Connecting to the PUM server
[12/15/17 19:21:11.636]:pam.log ST:PUM Driver: PUMInterface.openPUMConnection() :: Failed to establish connection with PUM server
[12/15/17 19:21:11.637]:pam.log ST:SubscriptionShim.execute() returned:
[12/15/17 19:21:11.638]:pam.log ST:
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="201408010455" instance="PUM Driver" version="4.0.2.1">Identity Manager Driver for Privileged User Manager</pro
duct>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="query-driver-ident" level="retry">SubShim.execute(): Not connected to PUM server.</status>
</output>
</nds>
[12/15/17 19:21:11.641]:pam.log ST:Requesting 30 second retry delay.


That is why i don't see Roles and Resources > Configure Roles and Resources Settings >Role/Resource Catalog . list for entitlement selection.

I dont know if i have to put https://192.168.1.xxxx in connection information or some other configuration i'm missing
  • We would probably need to see the full IDM driver config startup trace,
    without redacting IP addresses (they're private anyway so they are
    meaningless to anybody but you), in order to help.

    The PUM driver config documentation shows just an IP or DNS name, so
    presumably what you said you entered should be fine:

    https://www.netiq.com/documentation/privileged-account-manager-3/npum_driver/data/bez2t2y.html

    The connection failure happens immediately, so I would probably make sure
    that you have the right address in there, and that you are able, from the
    IDM engine where you ran this, to make the connection to the PUM machine.

    If everything seems right, perhaps watch for new connections going out
    from the IDM engine machine to see where they are trying to go and how the
    network, including the target system, responds to those. An easy way to
    do this is with tcpdump on the IDM engine box:


    sudo /usr/sbin/tcpdump -n -s 0 -i any host 192.168.1.xxx #fill in the IP


    You should see any traffic that involves the host mentioned there on the
    screen, and while you will not have a lot of details, you probably do not
    need much to at least ensure packets are flowing. If that shows data, but
    you still see a failure in trace, then we probably need to get higher
    trace level (trace level five (5) is a good start per the documentation)
    and then write the tcpdump output to a file for us to review:


    sudo /usr/sbin/tcpdump -n -s 0 -i any -v -w /tmp/pam.cap host 192.168.1.xxx



    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • Thanks AB!

    After diagnosis, we found that driver trying to connect with PUM on 443 but without SSL.

    Tue Dec 19 19:34:36 2017, 624, 3884312320, 2229, Info, Error (5) accepting SSL connection from 192.168.1.197
    Tue Dec 19 19:34:36 2017, 624, 3884312320, 2229, Info, SSL_accept: error syscall 0
    Tue Dec 19 19:34:36 2017, 625, 4011161344, 2229, Info, Error (5) accepting SSL connection from 192.168.1.197
    Tue Dec 19 19:34:36 2017, 625, 4011161344, 2229, Info, SSL_accept: error syscall 0
    Tue Dec 19 19:34:38 2017, 471, 4011161344, 2229, Info, Error (1) accepting SSL connection from 192.168.1.113
    Tue Dec 19 19:34:38 2017, 471, 4011161344, 2229, Warning, SSL_accept: error ssl
    Tue Dec 19 19:34:38 2017, 471, 4011161344, 2229, Info, SSL Error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared ciph
    er


    Can you please help me to identify the followings
    - Which SSL cert to import in driver from PUM server?
    - Which connection parameter to be used to specify the imported certificate file?
    - Where to import SSL cert from PUM server?

    Thanks for your response.
  • On 12/19/2017 07:14 AM, frankabhinav wrote:
    >
    > After diagnosis, we found that driver trying to connect with PUM on 443
    > but without SSL.


    The documentation states that HTTPS is the only mechanism used, so it
    would seem that IDM is at least trying TLS/SSL, though a LAN trace to
    verify that would be nice.

    https://www.netiq.com/documentation/privileged-account-manager-3/npum_driver/data/bu7c0qs.html#bueow4x

    Also having the trace from the shim (Remote Loader (RL) usually) may help
    us see exactly what is going wrong; the shim has levels up to five (5) so
    going up that high may get us something useful.

    > Can you please help me to identify the followings
    > - Which SSL cert to import in driver from PUM server?
    > - Which connection parameter to be used to specify the imported
    > certificate file?
    > - Where to import SSL cert from PUM server?


    Maybe you have already grabbed IDM traces, or LAN/wire traces, and that is
    why you think there is a TLS/SSL trust issue. If that is the case, some
    driver configs have places where you can point to a PEM or truststore
    object specific to that particular shim, which is nice, but I do not see
    that in the documentation here. Instead you can import the Certificate
    Authority (CA) certificate for the PAM/PUM system into the 'cacerts' file
    (default JRE truststore) used by IDM. This exists at
    /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts by
    default, and as its path my imply this is owned by the IDM packages, so
    anytime you upgrade the engine or RL you will need to be sure your
    certificate is still in there.

    It is typically best to import CA certificates, but I do not know if your
    PAM/PUM system actually has a valid CA, or if it is just using a
    self-signed certificate for its HTTPS connection. If so, that self-signed
    certificate could be used too, though that means anytime you change that
    out for anything else you will break the driver's connection, so be sure
    you are ready to import the appropriate CA to the IDM side whenever you do
    that.

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.