eugene20022002 Absent Member.
Absent Member.
1089 views

DirXML Loader Error : SSL3_GET_SERVER_CERTIFICATE:certificat


Hi

We are using Novell Identity Manager to sync our password between our
different directories ,namely Novell eDirectory and MS Active
Directory.

We noticed that passwords stopped being synced and on the Windows Domain
Controller get the following error.:
Driver:
Thread: Subscriber Channel
Object:
Message: SSL protocol failure: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


Research leads me to believe that its related to the SSL certificate and
that it may have expired.
Unfortunately, I know very little about novell and not sure how to
replace the certificate.

I have also read the article here http://tinyurl.com/psx468a which seems
to be the fix for the issue,but as mentioned I just don't know how to
implement it.

Your assistance is highly appreciated.


Thank you.


--
eugene20022002
------------------------------------------------------------------------
eugene20022002's Profile: https://forums.netiq.com/member.php?userid=10237
View this thread: https://forums.netiq.com/showthread.php?t=54038

Labels (1)
0 Likes
8 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: DirXML Loader Error : SSL3_GET_SERVER_CERTIFICATE:certificat

For most drivers like microsoft active directory (MAD) you can just go and
create a new certificate in iManager, then change the driver config's
Remote Loader line to refer to this new Key Material Object (KMO) by its
short name, which is the name you give the KMO/certificate when creating
it in iManager. For example, if you created 'mad-driver' as the name of
the certificate/KMO, you would modify the Remote Loader configuration line
within the MAD driver object to have 'kmo='mad-driver' even though the
full object name within the directory would be 'mad-driver - servernamehere'.

On the eDirectory driver side, usually you'll want to use Designer to
recreate the certificates, as it has a nice wizard that works well for
this. Clear out the 'Authentication ID' fields on both side's drivers,
then let the wizard create new KMOs and deploy everything for you.

For now, start with the MAD driver, as that's probably the one to use to
verify things. It may be worthwhile within iManager to view the
certificate and be sure expiration is the problem. It could also be
tightened SSL requirements (see the news in the past couple of years for
reasons why), or time issues (a box's time is way off, invalidating
certificates prematurely), etc.

By default, KMOs are minted for two years, so if it has been two years
since the drivers were put in, or the certificate at least was created,
that would make sense supporting certificate expiration, but you can
clearly see the validity dates looking on the KMO directly (iManager, LDAP
with anything mildly current, openssl if able to connect to a service
using the certificate, etc.).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
eugene20022002 Absent Member.
Absent Member.

Re: DirXML Loader Error : SSL3_GET_SERVER_CERTIFICATE:certificat


Thank you for your quick response.

Will download designer and take it from there. S


--
eugene20022002
------------------------------------------------------------------------
eugene20022002's Profile: https://forums.netiq.com/member.php?userid=10237
View this thread: https://forums.netiq.com/showthread.php?t=54038

0 Likes
eugene20022002 Absent Member.
Absent Member.

Re: DirXML Loader Error : SSL3_GET_SERVER_CERTIFICATE:certificat


Ok I finally managed to install designer and attach the vault but Im
unable to see the TLS settings.

I tried Model > eDir-to-eDir > BUT Secure Connection settings are greyed
out.
Also tried .. Vault>driverset>eDirectory properties>Driver
Configurations> Authentication tab ..BUT the TLS button is missing.
Completely lost now.
Thanks


--
eugene20022002
------------------------------------------------------------------------
eugene20022002's Profile: https://forums.netiq.com/member.php?userid=10237
View this thread: https://forums.netiq.com/showthread.php?t=54038

0 Likes
Knowledge Partner
Knowledge Partner

Re: DirXML Loader Error : SSL3_GET_SERVER_CERTIFICATE:certificat


You don't need Designer for the IDM to AD connection, only iManager.
Follow this part of the documentation http://tinyurl.com/qew3pjq
You don't have to do the last part about keystore since you are useing
the normal Remote Loader, just copy the new certificate to the Remote
Loader server and in the Remote Loader Console stop the service and edit
it. there you have a browse button to the certificate.
You also need to change the KMO text part on the driver properties to
use the new certificate name, this can be done in Designer or iManager.


--
joakim_ganse
------------------------------------------------------------------------
joakim_ganse's Profile: https://forums.netiq.com/member.php?userid=159
View this thread: https://forums.netiq.com/showthread.php?t=54038

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: DirXML Loader Error : SSL3_GET_SERVER_CERTIFICATE:certificat

On 08/13/2015 06:14 AM, joakim ganse wrote:
>
> You don't need Designer for the IDM to AD connection, only iManager.
> Follow this part of the documentation http://tinyurl.com/qew3pjq
> You don't have to do the last part about keystore since you are useing
> the normal Remote Loader, just copy the new certificate to the Remote


Just to be clear, the part copied from the engine (exported via iManager)
to the Remote Loader (RL) system is not the new certificate, but the CA's
self-signed certificate. As a result, unless the CA itself is also
recreated (only expires every ten years, by default) there is nothing to
do here. All that is needed is to create a new KMO (or maybe better yet,
delete and recreate the current KMO) and restart the driver object.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
eugene20022002 Absent Member.
Absent Member.

Re: DirXML Loader Error : SSL3_GET_SERVER_CERTIFICATE:certificat


ab;259789 Wrote:
> On 08/13/2015 06:14 AM, joakim ganse wrote:
> >
> > You don't need Designer for the IDM to AD connection, only iManager.
> > Follow this part of the documentation http://tinyurl.com/qew3pjq
> > You don't have to do the last part about keystore since you are

> useing
> > the normal Remote Loader, just copy the new certificate to the Remote

>
> Just to be clear, the part copied from the engine (exported via
> iManager)
> to the Remote Loader (RL) system is not the new certificate, but the
> CA's
> self-signed certificate. As a result, unless the CA itself is also
> recreated (only expires every ten years, by default) there is nothing
> to
> do here. All that is needed is to create a new KMO (or maybe better
> yet,
> delete and recreate the current KMO) and restart the driver object.
>
>
> --
> Good luck.
>
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


Thanks for your assistance. I re-exported the CA cert and let the remote
loader use that. Im not getting any errors and everything looks fine but
thiings or still not syncing from AD to eDirectory.
Where can I even look for errors or logs to try and trace where the
issue could be and where its failing?


--
eugene20022002
------------------------------------------------------------------------
eugene20022002's Profile: https://forums.netiq.com/member.php?userid=10237
View this thread: https://forums.netiq.com/showthread.php?t=54038

0 Likes
eugene20022002 Absent Member.
Absent Member.

Re: DirXML Loader Error : SSL3_GET_SERVER_CERTIFICATE:certificat


eugene20022002;259799 Wrote:
> Thanks for your assistance. I re-exported the CA cert and let the remote
> loader use that. Im not getting any errors and everything looks fine but
> thiings or still not syncing from AD to eDirectory.
> Where can I even look for errors or logs to try and trace where the
> issue could be and where its failing?


when I tested initially I found the duplicate password error in our
splunk..

Thank you again for all your assistance guys.


--
eugene20022002
------------------------------------------------------------------------
eugene20022002's Profile: https://forums.netiq.com/member.php?userid=10237
View this thread: https://forums.netiq.com/showthread.php?t=54038

0 Likes
eugene20022002 Absent Member.
Absent Member.

Re: DirXML Loader Error : SSL3_GET_SERVER_CERTIFICATE:certificat


Im making progress..
Halfway there. It can now sync from AD to eDirectory but not vice versa.

What I have done now is.. export the certificate cert.b64 and rename it
to cert.pem restart the remote loader and now get the original error.

Any suggestions?


--
eugene20022002
------------------------------------------------------------------------
eugene20022002's Profile: https://forums.netiq.com/member.php?userid=10237
View this thread: https://forums.netiq.com/showthread.php?t=54038

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.