Commodore
Commodore
2157 views

WebAccess Login Failure

Hi all.

I just finished recreating my certificate authority as it's certificate had expired. I then used PKIDiag and tckeygen to renew the DNS and IP certs for webaccess and re-export the key for Tomcat. This went smoothly without any errors.

However, when I try to log in to web access, I get the following error: "Please login again. You may have typed your name or password incorrectly. Remember that passwords are case sensitive.", even though they are the correct name and password. It also does not matter which user logs in.

Webaccess logs only show "Login failure" for the user.

Where do I begin to troubleshoot this? Does webaccess have better logs somewhere? Even on verbose the logs still only seem to show Login Failure.

Thanks for any information anyone has.
Scott



Scott Schaffer
Network Admin
Olive Waller Zinkhan & Waller LLP
Labels (2)
0 Likes
17 Replies
Commodore
Commodore

Here is the dstrace from the login. I don't know how to read it but am searching for the errors in it. Any ideas abut what it means or next troubleshooting steps?

--------------------------

New TLS connection 0x9e2b5000 from 192.168.100.150:17260, monitor = 0x31d, index = 3
Monitor 0x31d initiating TLS handshake on connection 0x9e2b5000
DoTLSHandshake on connection 0x9e2b5000
TLS accept failure 5 on connection 0x9e2b5000, setting err = -5875. Error stack:
TLS handshake failed on connection 0x9e2b5000, err = -5875
Server closing connection 0x9e2b5000, socket error = -5875
Connection 0x9e2b5000 closed
New TLS connection 0x9e2b5000 from 192.168.100.150:17261, monitor = 0x31d, index = 3
Monitor 0x31d initiating TLS handshake on connection 0x9e2b5000
DoTLSHandshake on connection 0x9e2b5000
TLS accept failure 1 on connection 0x9e2b5000, setting err = -5875. Error stack:
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
TLS handshake failed on connection 0x9e2b5000, err = -5875
BIO ctrl called with unknown cmd 7
Server closing connection 0x9e2b5000, socket error = -5875
Connection 0x9e2b5000 closed
Work info status: Total:3 Peak:3 Busy:0
Thread pool status: Total:7 Peak:7 Busy:3

---------------------
Thanks
Scott



Scott Schaffer
Network Admin
Olive Waller Zinkhan & Waller LLP>>> On April-01-13 at 10:46 AM, in message <laurabuckley.5t4nmn@no-mx.forums.novell.com>, laurabuckley<laurabuckley@no-mx.forums.novell.com> wrote:


A dstrace would probably be a very sensible thing to do - filter on LDAP
traffic and see if you can see anything.

Cheers,


--
Laura Buckley
Technical Consultant
IT Dynamics, South Africa
http://www.itdynamics.co.za
------------------------------------------------------------------------
laurabuckley's Profile: http://forums.novell.com/member.php?userid=122
View this thread: http://forums.novell.com/showthread.php?t=465411
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

In article <51598A1A.DFFF.0048.3@owzw.com>, Scott Schaffer wrote:
> TLS accept failure 5 on connection 0x9e2b5000, setting err = -5875.


Did you make sure your LDAP was refreshed with the new cert? Make sure
your LDAP server and group objects point to them in ConsoleOne.
Perhaps unload and reload nldap will also be needed.

TLS is the newer specific form of SSL, but for most of us are the same
thing.


Andy Konecny
Knowledge Partner (voluntary SysOp)
KonecnyConsulting.ca in Toronto
----------------------------------------------------------------------
Andy's Profile: http://forums.novell.com/member.php?userid=75037


___
“i’ve sworn an oath of solitude til the blight is purged from these lands”
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
Commodore
Commodore

Thanks everyone for your help on this issue. I have opened an SR with Novell and they are working on it at the moment. We have traced the issue to some sort of certificate problem. Everything works fine when we turn off Secure LDap and just use port 389.

We recreated the CA and renewed all of the default certificates, then refreshed where NLDap was pointing to and reloaded it as you suggested, Andy but that did not resolve it.

Next step is to restart the poa with Secure LDap enabled, which I cannot do until the users have gone home for the night. I will update when I know more.

Scott



Scott Schaffer
Network Admin
Olive Waller Zinkhan & Waller LLP>>> On April-01-13 at 8:35 PM, in message <VA.0000050e.030a968a@no-mx.forums.novell.com>, Andy Konecny<konecnya@no-mx.forums.novell.com> wrote:

In article <51598A1A.DFFF.0048.3@owzw.com>, Scott Schaffer wrote:

> TLS accept failure 5 on connection 0x9e2b5000, setting err = -5875.


Did you make sure your LDAP was refreshed with the new cert? Make sure
your LDAP server and group objects point to them in ConsoleOne.
Perhaps unload and reload nldap will also be needed.

TLS is the newer specific form of SSL, but for most of us are the same
thing.


Andy Konecny
Knowledge Partner (voluntary SysOp)
KonecnyConsulting.ca in Toronto
----------------------------------------------------------------------
Andy's Profile: http://forums.novell.com/member.php?userid=75037
0 Likes
Micro Focus Expert
Micro Focus Expert

Hi Scott,

Thanks for the update - please let us know when/how this is sorted out.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
Commodore
Commodore

We having a working secure Webaccess again.

The trick seems to be to restart the POA after re-creating the CA and reminting all of the default certificates. Once I set Ldap to use the secure port and Synchronized it, then restarted the POA, everything worked great and I could see the secure ldap connection happening in the POA logs.

Also exporting the public key of one of the certificates and making sure that your Ldap is pointing to the correct location of this exported certificate is important.

During the course of this issue, I had read documentation that said to use the Public key from the CA, other documentation that said use the Public key from the SSL DNS and again another document that said to use the SSL IP cert. The Novell tech in my case used the DNS AG certificate public key. Does it make a difference which one you use?

Anyway, thanks again for all the suggestions and help.

Scott



Scott Schaffer
Network Admin
Olive Waller Zinkhan & Waller LLP>>> On April-02-13 at 11:36 PM, in message <laurabuckley.5t7hxz@no-mx.forums.novell.com>, laurabuckley<laurabuckley@no-mx.forums.novell.com> wrote:


Hi Scott,

Thanks for the update - please let us know when/how this is sorted
out.

Cheers,


--
Laura Buckley
Technical Consultant
IT Dynamics, South Africa
http://www.itdynamics.co.za
------------------------------------------------------------------------
laurabuckley's Profile: http://forums.novell.com/member.php?userid=122
View this thread: http://forums.novell.com/showthread.php?t=465411
0 Likes
Micro Focus Expert
Micro Focus Expert

Hi Scott,

Thank you very much for posting back and detailing the solution - much appreciated.

Cheers,
Laura Buckley

Views/comments expressed here are entirely my own.
If you find this post helpful, please show your appreciation and click on "Like" below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.