Anonymous_User Absent Member.
Absent Member.
594 views

Configuration eDir to eDir certificate doesn't work


Hello,

I try to had a certificate between eDirectory drivers.

first driver :
server SLES 11 (x86_64) patch level 2
IDM 4.0.2
eDirectory 8.8 SP7
driver version package used 1.0.0

second driver :
server SLES 10 (x86_64) patch level 3
IDM 4.0.1
eDirectory 8.8 SP6
driver version package used 1.0.0

Drivers are configured with ipaddress:8196

I want to add a certificate between these two drivers by iManager but I
have an error and I can't find why.

The error is not the same whether I generate the certificate on the
first server or on the second server.

1) I'm connected to iManager on the second server.
On eDir-to-eDir driver certificate

when I begin to fill with the second driver informations I have this
error :
Error: Driver Wizard - Error
The following 'Exception' was thrown but not handled.

''Error: -670''.

error -670 corresponding to : FFFFFD62 INVALID CONTEXT

but the context is correct, it's fill by default by the context of the
connected user.
I try to replace the tree name by the IP address by no change, I have
the same error.

2) I'm connected to iManager on the first server :
On eDir-to-eDir driver certificate

I begin to fill with the first driver informations and validate
then I fill with the second driver informations and validate
The resume of certificate informations is displayed (RSA Key Size,
Signature Algorithm, Certificate Name for each driver)

when I click on finish I have this error :

Error: Driver Wizard - Error
The following 'Exception' was thrown but not handled.

''Unable to create the certificates. The following error occurred:
-626''.

error -626 corresponding to : FFFFFD8E ALL REFERRALS FAILED

Please someone can help me to understand why I have this error and how I
can resolve it ?

Thanks in advance !


--
elo_mbd
------------------------------------------------------------------------
elo_mbd's Profile: https://forums.netiq.com/member.php?userid=2988
View this thread: https://forums.netiq.com/showthread.php?t=47645

Labels (1)
0 Likes
13 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Configuration eDir to eDir certificate doesn't work

On Mon, 29 Apr 2013 12:44:02 +0000, elo mbd wrote:

> I want to add a certificate between these two drivers by iManager but I
> have an error and I can't find why.


I have only rarely used iManager for this. It should work, though.


> Please someone can help me to understand why I have this error and how I
> can resolve it ?


In both trees, is the Certificate Authority (CA) present and healthy? Can
you create other certificate (NDS PKI Key Material Object) objects?

What the iManager wizard does is create a KMO in one tree, and a CSR for
the other one. Then it goes to the other tree to sign the CSR. But the
errors you're getting (-670 Invalid Context and -626 All Referrals
Failed) make it sound like iManager can't find something it needs and
expects to be there.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuration eDir to eDir certificate doesn't work


Thanks for your answer.
I'm not sure I understand what you say but I tried to create a
certificate :
In iManager I try to create a server certificate but I can't. It finish
with error :

Error: Plugin Error
Novell Certificate Server plugin encountered an error. Click the Details
button for more information.

java.lang.NullPointerException\n at
com.novell.admin.PKI.certificate.eDir.eDirCertificateManager.D(Unknown
Source)\n at
com.novell.admin.PKI.certificate.eDir.eDirCertificateManager.cmmCertificate_Create(Unknown
Source)\n at
com.novell.admin.PKI.wizard.CertWizard_Create_ServerCertificate.doFinishButton(Unknown
Source)\n at com.novell.admin.PKI.util.UIWizard$3.isHandled(Unknown
Source)\n at
com.novell.admin.PKI.util.actions.Navigate.isProcessed(Unknown Source)\n
at com.novell.admin.PKI.util.UIObject.handleAction(Unknown Source)\n at
com.novell.admin.PKI.util.UIContext.execute(Unknown Source)\n at
com.novell.admin.PKI.tasks.LaunchServerWizard.execute(Unknown Source)\n
at com.novell.emframe.dev.Task.execute(Task.java:505)\n at
com.novell.nps.gadgetManager.BaseGadgetInstance.processRequest(BaseGadgetInstance.java:858)\n
at
com.novell.nps.gadgetManager.BaseGadgetInstance.handleAction(BaseGadgetInstance.java:2384)\n
at
com.novell.nps.gadgetManager.GadgetManager.processInstanceRequest(GadgetManager.java:1606)\n
at
com.novell.nps.gadgetManager.GadgetManager.processServiceRequest(GadgetManager.java:1062)\n
at
com.novell.nps.PortalServlet.handleFrameService(PortalServlet.java:505)\n
at com.novell.nps.PortalServlet.processRequest(PortalServlet.java:373)\n
at com.novell.nps.PortalServlet.doPost(PortalServlet.java:279)\n at
javax.servlet.http.HttpServlet.service(HttpServlet.java:763)\n at
com.novell.emframe.fw.servlet.AuthenticatorServlet.service(AuthenticatorServlet.java:332)\n
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)\n at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)\n
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)\n
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)\n
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)\n
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:530)\n
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)\n
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)\n
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)\n
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)\n
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)\n
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)\n
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:775)\n
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:704)\n
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:897)\n
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)\n
at java.lang.Thread.run(Thread.java:811)\n

I found it's because libraries missing
(http://www.novell.com/support/kb/doc.php?id=7004701)
In my case it's SLES 10 64 bits => compat-32bit
(compat-32bit-2006.1.25-11.2) but it's already installed.
There is something else ?

You say you don't use iManager to create certificate and affect it to
eDir driver. How you do this ?


--
elo_mbd
------------------------------------------------------------------------
elo_mbd's Profile: https://forums.netiq.com/member.php?userid=2988
View this thread: https://forums.netiq.com/showthread.php?t=47645

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuration eDir to eDir certificate doesn't work


I've seen this error before and I had to delete the existing
certificates that it generates so they would be recreated. Be careful
that you only delete the certificates for edir-to-edir drivers (they are
certs named <drivername> and X<drivername>). Delete these objects so
designer can recreate them. The previous response to check the health
of the CA's is probably a good first step as well.


--
robertivey
------------------------------------------------------------------------
robertivey's Profile: https://forums.netiq.com/member.php?userid=1091
View this thread: https://forums.netiq.com/showthread.php?t=47645

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuration eDir to eDir certificate doesn't work


Configuration :

Meta server :
server SLES 11 (x86_64) patch level 2
IDM 4.0.2
eDirectory 8.8 SP7
driver version package used 1.0.0

eDirectory server :
server SLES 10 (x86_64) patch level 3
IDM 4.0.1
eDirectory 8.8 SP6
driver version package used 1.0.0
(error on edirectory server)

Indeed, there were edir-to-edir certificates drivers on Meta server. I
deleted them.
I checked the health of the CA and it's not correct.

All certificates are in the good place in directory (same place as the
server)
but in iManager, "Roles and tasks", "Novell Certificate Access", "Server
certificates" : the list is empty.

How can I solve this issue ?


--
elo_mbd
------------------------------------------------------------------------
elo_mbd's Profile: https://forums.netiq.com/member.php?userid=2988
View this thread: https://forums.netiq.com/showthread.php?t=47645

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuration eDir to eDir certificate doesn't work

On Tue, 30 Apr 2013 14:24:02 +0000, elo mbd wrote:

> I checked the health of the CA and it's not correct.


You must fix that first, before trying to do anything else.

What do you mean by "checked"? What do you mean by "it's not correct"?


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuration eDir to eDir certificate doesn't work

On Tue, 30 Apr 2013 12:24:23 +0000, robertivey wrote:

> I've seen this error before and I had to delete the existing
> certificates that it generates so they would be recreated.


I've seen Designer get confused by existing certificates. I don't use
iManager often enough to know if it trips over them the same way.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuration eDir to eDir certificate doesn't work

On Tue, 30 Apr 2013 08:04:02 +0000, elo mbd wrote:

> Thanks for your answer.
> I'm not sure I understand what you say but I tried to create a
> certificate :
> In iManager I try to create a server certificate but I can't. It finish
> with error :
>
> Error: Plugin Error
> Novell Certificate Server plugin encountered an error. Click the Details
> button for more information.


Is this from iManager server or are you using iManager workstation? I
suspect you have a problem with the Certificate Authority (CA) for this
tree. If you look at the CA object in your Security container, is it
expired?

If you're using iManager (server), try iManager workstation. If you've
already tried iManager workstation, it may be worth a shot to try
ConsoleOne. If none of these can create a certificate, you may have to
remove and reinstall the CA.


> I found it's because libraries missing
> (http://www.novell.com/support/kb/doc.php?id=7004701) In my case it's
> SLES 10 64 bits => compat-32bit (compat-32bit-2006.1.25-11.2) but it's
> already installed. There is something else ?


After reading this TID, I'm not convinced that it applies. The error
message listed in the TID is different from the error message you are
getting. Did you follow the debugging steps listed?


> You say you don't use iManager to create certificate and affect it to
> eDir driver. How you do this ?


IDM Designer can create the certificate objects needed, along with almost
everything else you'll ever need to do in IDM.



--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuration eDir to eDir certificate doesn't work


> Thanks for your answer.
> I'm not sure I understand what you say but I tried to create a
> certificate :
> In iManager I try to create a server certificate but I can't. It

finish
> with error :
>
> Error: Plugin Error
> Novell Certificate Server plugin encountered an error. Click the

Details
> button for more information.


Is this from iManager server or are you using iManager workstation? I
suspect you have a problem with the Certificate Authority (CA) for this
tree. If you look at the CA object in your Security container, is it
expired?

I'm using iManager server. I found the CA object, it's not expired but I
found something very interesting. The host server of this CA in Security
container is not the same server. How it possible ?

If you're using iManager (server), try iManager workstation. If you've
already tried iManager workstation, it may be worth a shot to try
ConsoleOne. If none of these can create a certificate, you may have to
remove and reinstall the CA.

How can I have a CA object corresponding to the good server ? Is it
required to remove the wrong CA before ?

> I found it's because libraries missing
> (http://www.novell.com/support/kb/doc.php?id=7004701) In my case it's
> SLES 10 64 bits => compat-32bit (compat-32bit-2006.1.25-11.2) but

it's
> already installed. There is something else ?


After reading this TID, I'm not convinced that it applies. The error
message listed in the TID is different from the error message you are
getting. Did you follow the debugging steps listed?

ok, yes I checked libraries and they are already installed so the
problem doesn't come from it.

> You say you don't use iManager to create certificate and affect it to
> eDir driver. How you do this ?


IDM Designer can create the certificate objects needed, along with
almost
everything else you'll ever need to do in IDM.

I found how create the certificate by Designer but I have the same error
as iManager

It's seems the problem come from CA object and because the host server
is not the good server. How can I solve this ?


--
elo_mbd
------------------------------------------------------------------------
elo_mbd's Profile: https://forums.netiq.com/member.php?userid=2988
View this thread: https://forums.netiq.com/showthread.php?t=47645

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuration eDir to eDir certificate doesn't work

On Tue, 30 Apr 2013 15:44:02 +0000, elo mbd wrote:

> I'm using iManager server. I found the CA object, it's not expired but I
> found something very interesting. The host server of this CA in Security
> container is not the same server. How it possible ?


Only one server per eDirectory tree will act as the CA, so what you see
here may be correct.


> I found how create the certificate by Designer but I have the same error
> as iManager


Right. Your problem is elsewhere.


> It's seems the problem come from CA object and because the host server
> is not the good server. How can I solve this ?


I do not understand what you mean by "good" server here vs. "host" server.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Configuration eDir to eDir certificate doesn't work


In the tree I have many servers listed (serv1, serv2, serv3)
the IP address of the tree corresponding to the serv1. My drivers are
deployed to the serv1.
But when I look at "host server" attribute of the CA object, the server
is serv2.

To understand the context, I work in development environment. The client
created this environment from production environment. In production,
there are replicas but in development he put one server, serv1.
May be this configuration works in production environment because serv2
exists but, because serv2 isn't in development environment the
configuration of the CA object is not good. I'm not sure but I think
it's why I can't create certificate, because CA object of the tree is
associated to a server unknow.
How can I associate the CA object to the good server, serv1. Is it
possible ?


--
elo_mbd
------------------------------------------------------------------------
elo_mbd's Profile: https://forums.netiq.com/member.php?userid=2988
View this thread: https://forums.netiq.com/showthread.php?t=47645

0 Likes
Knowledge Partner
Knowledge Partner

Re: Configuration eDir to eDir certificate doesn't work

On 4/30/2013 1:04 PM, elo mbd wrote:
>
> In the tree I have many servers listed (serv1, serv2, serv3)
> the IP address of the tree corresponding to the serv1. My drivers are
> deployed to the serv1.
> But when I look at "host server" attribute of the CA object, the server
> is serv2.
>
> To understand the context, I work in development environment. The client
> created this environment from production environment. In production,
> there are replicas but in development he put one server, serv1.
> May be this configuration works in production environment because serv2
> exists but, because serv2 isn't in development environment the
> configuration of the CA object is not good. I'm not sure but I think
> it's why I can't create certificate, because CA object of the tree is
> associated to a server unknow.
> How can I associate the CA object to the good server, serv1. Is it
> possible ?


CA needs to be associated and running on a single server. It does NOT
have to be the same one running IDM drivers. (It does have to be in the
same tree of course).

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.