Anonymous_User Absent Member.
Absent Member.
203 views

eDir-eDir Certificate / Handshake / CRL Error


All,

A portion of our IDM system contains an eDir-eDir configuration. This
is the first time using Designer and Designer has been used to deploy
one side of this system. The drivers start, but I'm getting two errors
(one from each driver). On one side, I get an "alert certificate
expired" error. I have no idea what to do with that. On the other
side, I get a "CRL has expired" message. Again, I don't know what to do
with that, either. If found this article
(http://www.novell.com/support/kb/doc.php?id=7001066) and went through
the steps listed here, but no luck.

The driver flow is from Vault to Prod. We don't allow transaction to
flow the other direction.

Below are links to two DSTraces capturing the startup of each driver and
one transaction trying to go through.

http://pastebin.com/P4dpnL1j - Vault Startup
http://pastebin.com/DZJ3M4Qx - Prod Startup

We've deleted and recreated certificates, deleted and removed passwords,
restarted drivers and some other irrational attempts to figure this out.
I'm out of ideas

Any help would be appreciated.

Thanks,

Greg


--
gregwilkerson
------------------------------------------------------------------------
gregwilkerson's Profile: https://forums.netiq.com/member.php?userid=590
View this thread: https://forums.netiq.com/showthread.php?t=46452

Labels (1)
0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: eDir-eDir Certificate / Handshake / CRL Error

What is the expiration date for all of the certificates in these trees?
Are any expired currently? How about for the CAs themselves?

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDir-eDir Certificate / Handshake / CRL Error


They all expire is 2021.


--
gregwilkerson
------------------------------------------------------------------------
gregwilkerson's Profile: https://forums.netiq.com/member.php?userid=590
View this thread: https://forums.netiq.com/showthread.php?t=46452

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDir-eDir Certificate / Handshake / CRL Error

On Thu, 27 Dec 2012 22:54:01 +0000, gregwilkerson wrote:

> A portion of our IDM system contains an eDir-eDir configuration. This
> is the first time using Designer and Designer has been used to deploy
> one side of this system. The drivers start, but I'm getting two errors
> (one from each driver).


Why has only one side of the pair been deployed? I can't say that I've
tried that, but I wonder if that's confusing Designer. It naturally wants
to deploy both sides of an eDir driver pair.


> We've deleted and recreated certificates, deleted and removed passwords,
> restarted drivers and some other irrational attempts to figure this out.


I don't think driver passwords are your problem. Delete the driver
certificates, though, that may help.

In Designer, for both sides of the pair, in the driver properties, you
can (should. must?) set up SSL. My preference is to configure it for bi-
directional trust, but any of the three settings is fine. Set the
certificate expiration to 10 years (max). Then deploy both sides of the
driver pair, and let Designer create the certificates.

Does that work? Any errors reported by Designer in certificate creation?
If no errors reported, and both drivers deployed ok, then start them and
see what you get.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDir-eDir Certificate / Handshake / CRL Error


Why we deployed only one side? Well, it's a long story. In short, only
one side of the system has been migrated into Designer. Part of the
driving force for using Designer was IDM 4.0 and Exchange 2010
provisioning in AD. The portion of the system that we migrated into
Designer contains an eDir driver and two AD drivers. We didn't see a
need, and didn't have the time to migrate the other side into Designer.
We have this identical setup in a test environment and I have no
troubles with that (part of what is so puzzling to me).

Because we don't have both sides in Designer, we can't create both
certificates in Designer. However, the certificate creation happens
error free from iManager. The traces in the first post are the result
of exactly what you state. The drivers are started and those traces are
what I get.

Where do I find these SSL settings for the driver in Designer. I don't
see them. I need to verify, but I believe the SSL configuration is
correct. I believe that for password synchronization to work, SSL has to
be configured. And the password sync works in our test environment.

I'm still new to Designer and am trying to get used to how it does
things.

Greg


--
gregwilkerson
------------------------------------------------------------------------
gregwilkerson's Profile: https://forums.netiq.com/member.php?userid=590
View this thread: https://forums.netiq.com/showthread.php?t=46452

0 Likes
Knowledge Partner
Knowledge Partner

Re: eDir-eDir Certificate / Handshake / CRL Error

> Because we don't have both sides in Designer, we can't create both
> certificates in Designer. However, the certificate creation happens
> error free from iManager. The traces in the first post are the result
> of exactly what you state. The drivers are started and those traces are
> what I get.
>
> Where do I find these SSL settings for the driver in Designer. I don't
> see them. I need to verify, but I believe the SSL configuration is


Right click on the line connecting the driver icons together. The
center of the eDir to eDir driver pair. It is a properties or settings,
I forget exactly.


> correct. I believe that for password synchronization to work, SSL has to
> be configured. And the password sync works in our test environment.
>
> I'm still new to Designer and am trying to get used to how it does
> things.
>
> Greg
>
>


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: eDir-eDir Certificate / Handshake / CRL Error


All,

We figured it out, kind of. The server guy patched SLES and OES and
the problem went away. Weird.

Thanks for the help.

Greg


--
gregwilkerson
------------------------------------------------------------------------
gregwilkerson's Profile: https://forums.netiq.com/member.php?userid=590
View this thread: https://forums.netiq.com/showthread.php?t=46452

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.