dvandermaas1 Absent Member.
Absent Member.
525 views

Upgrade NAM 4.4.4 to NAM 4.5 fails ... configuration lost.

During the primary admin console upgrade an error is shown.

ldap_bind: Invalid credentials (49)
additional info: NDS error: failed authentication (-669)
sed: can't read /tmp/ldif_bkp/SCC9erdwq_oauth2cfg.ldif: No such file or directory
sed: can't read /tmp/ldif_bkp/SCC9erdwq_oauth2cfg.ldif: No such file or directory

There is no option to "retry" and all these temp files are deleted in the process.
Parts of the configuration are backed up during the upgrade, using ICE and restored after the upgrade.

Digging a little deeper in the /tmp/novell_access_manager/backup/upgrade_edir log files :

--------------------------------------
Schema changes for nidsOAuth2CFGXML attribute
NetIQ Import Convert Export utility for NetIQ eDirectory
version: 40102.30
Copyright (c) 2013 NetIQ Corporation and its affiliates. All Rights Reserved. U.S. Patent No. 6,915,287.
Source Handler: ICE LDAP handler for NetIQ eDirectory (version: 40102.30 )
Destination Handler: ICE LDIF handler for NetIQ eDirectory (version: 40102.30 )
the command line argument: b needs a value
You may type 'ice' to see the command line help.

Options Used:
-v -C -n -S LDAP -v -L /var/opt/novell/eDirectory/data/SSCert.der -s 192.168.1.30 -p 636 -d cn=admin,o=novell -b -a nidsOAuth2CFGXML -c base -D LDIF -v -f /tmp/ldif_bkp/SCC9erdwq_oauth2cfg.ldif
modifying entry "cn=OATjm2y7a,cn=OACrnngve,cn=SCC9erdwq,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell "
---------------------------------------

Looking at the ac_upgrade script and it turns out there's an error in there ..
Turns out that this was already described here (https://forums.novell.com/showthread.php/511944-Ugh!-Ugh!-Ugh!-4-5-upgrade-script-failure)


However .. A liitle bit after this point :

---------------------------------------
INFO: New ldap connection created
AG Policy TypeSpec upgraded!!
Updating the Oauth tenant XML in 4.5
Modifying nidsOAuthTenantXML:OpenIdMetadata:response_types and response_modes
Found the oauth container
Found the tenant container
Modifying the tenant xml to update openIDmetadata
Updating OAuth2Config XML in 4.5
Modifying oauth2cfgXML:Scope:name=urn:netiq.com:nam:scope:oauth:registration:read
Found the oauth container
Found the tenant container
Inside updateOAuth2CFGXML
java.lang.NullPointerException
at com.volera.vcdn.application.sc.core.InstallManager.modifyOauthScopeDesc(InstallManager.java:4898)
at DatastoreManager.upgrade(DatastoreManager.java:1665)
at DatastoreManager.main(DatastoreManager.java:1804)
---------------------------------------


The result :
All the OAuth Resource Servers definitions are gone, including the default ones.
And all the Client applications are gone.

So my initial guess was, lets recreate them.
Recreating the Resource Servers went fine, no issues there
However, recreating the client applications result in an "Unexpected error".
Looking at the logs :

---------------------------------------
May 03, 2019 5:14:27 PM com.novell.nam.nidp.oauth.config.rest.RegisterClient register
INFO: registering client as admin
May 03, 2019 5:14:27 PM com.novell.nam.nidp.oauth.config.OAuth2ConfigManager configure
INFO: loading tenant :nam
May 03, 2019 5:14:28 PM com.novell.nam.nidp.oauth.config.OAuth2ConfigManager loadAssertionIssuersConfig
WARNING: Assertion Issuers configuration not available or could not load Assertion Issuers configuration.
May 03, 2019 5:14:28 PM com.novell.nam.nidp.oauth.config.rest.RegisterClient register
SEVERE: The client registration failed
May 03, 2019 5:14:28 PM org.glassfish.jersey.filter.LoggingFilter log
INFO: 12 * Server responded with a response on thread https-jsse-nio-192.168.1.30-8443-exec-7
12 < 401
12 < Content-Type: application/json
---------------------------------------

So i tried to add a Assertion Issuers, i specified all the parameters, however the "Ok" button doesn't do anything, and there's no entry in any of the log files ...

The strangest thing is, when i use iManager or a LDAP client i cal still find all the registered client although they don't show up

Container cn=OAC3g1wrf,cn=OACCditn0y,cn=OATjm2y7a,cn=OACrnngve,cn=SCC9erdwq,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell
contain my six oauth clients (looked at attribute nidsOAuthClientXML)

So now i'm not sure whether is an update/eDirectory issue or an iManager issue, whether this was caused by the upgrade error or if anything else is wrong.

Of course none of the oauth clients works anymore ....


Does anybody have any idea ............

The Network lives on patches, re-configurations and caffeine. One Net, One Engineer, One Coffee Brand.
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: Upgrade NAM 4.4.4 to NAM 4.5 fails ... configuration lost.

On 04-05-2019 5:14 AM, dvandermaas wrote:
>


> Of course none of the oauth clients works anymore ....
>
>
> Does anybody have any idea ............


Open an SR I'd say and get Support to fix this tho something tells me you'll be restoring a backup


--
Cheers,
Edward
0 Likes
dvandermaas1 Absent Member.
Absent Member.

Re: Upgrade NAM 4.4.4 to NAM 4.5 fails ... configuration los

Yes, a SR is on it's way and yes, i've restored a backup ;-(

Grtz
David

The Network lives on patches, re-configurations and caffeine. One Net, One Engineer, One Coffee Brand.
0 Likes
dvandermaas1 Absent Member.
Absent Member.

Re: Upgrade NAM 4.4.4 to NAM 4.5 fails ... configuration los

The customer center downloads contain a new build (191).
This should get rid of the bug in the ag_update.sh. Going to install now ...

The Network lives on patches, re-configurations and caffeine. One Net, One Engineer, One Coffee Brand.
0 Likes
SLong Valued Contributor.
Valued Contributor.

Re: Upgrade NAM 4.4.4 to NAM 4.5 fails ... configuration los

I lucked out and got 191, just by a day.  Just out of curiosity, when the oAuth config was lost, did oAuth quit working, or was it just not being displayed/accessible from the admin console?  If it quit working, did it quit when you upgraded the admin console, or when you upgraded the IDP?

I usually like to wait a while before patching, for reasons such as this.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.