kuronen Super Contributor.
Super Contributor.
345 views

/tmp/idm_install/SSL CertificateDNS_server.ks

Hi there,

I am doing a new install of user application to RHEL 7 with install.sh followed by configure.sh and it always fails to import certificates from the identity vault to the the tomcat.ks (idm.ks and osp.ks seem to go fine though). I can use my own keystore but errors in the install are not tolerable. I would appreciate any hints on how to correct the issue.

I am using a dedicated identity applications server which is RHEL 7 with latest patches.
I am using IDM 4.7 iso image install.sh/configure.sh.
My identity vault is in another server, it is running RHEL 7, eDir 9.1.2, IDM advanced 4.7
Every component is freshly installed and all IDM / other packages are patched to the latest versions.

I tested that connection to identity vault from the userapp server works as these commands give me the certificate chain:


openssl s_client -connect server:636 -showcerts
openssl s_client -connect server:389 -starttls ldap


I checked that /tmp is writable, selinux does not give any denials, directory /tmp/idm_install/ is created during the configure process and contains multiple files made by the installer. It is deleted after install. Maybe I could try disabling selinux but that would be a pity as I've always kept it as an extra security layer in my IDM installations.

Also double checked that the driver set is associated with the server I am using for the LDAP connection and as driver set for the user application drivers. Also the server is working well with Designer, iManager and ldapsearch.

Here is what /var/opt/netiq/idm/log/idmconfigure.log says about it:


2019-03-11 08:18:57+02:00 : Deploying the Identity Applications drivers. It may take a few minutes...
Deploying the Identity Applications drivers. It may take a few minutes...
SPIException in DesignerHeadless -- 0 , Trying again...
Default Server DN --cn=server,ou=servers,o=org
Invalid GCV document on object 'NOVLACOMSET-GCVs-Prompt': Value for 'UAProvAdmin' contains an invalid character.
Unknown internal ID in version lookup: 4.7.0
Unable to read NAT Mappings file
In constructor if com.novell.soa.logging.impl.log4j.Log4jManager
Info: Exiting

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /tmp/idm_install/tomcat.ks -destkeystore /tmp/idm_install/tomcat.ks -deststoretype pkcs12".

NetIQ Identity Manager Command Line Utility
version 4.7.0.0
Copyright (c) 2017 NetIQ Corporation. All Rights Reserved

Logging in using:
host: server.hostmaname/1.2.3.4:636
user: cn=admin,ou=admins,o=org
Using LDAP protocol with SSL
DirXML version is 4.7.0.0.
Driver set CN=driverset,O=org is associated with the server.
Importing keystore /tmp/idm_install/SSL CertificateDNS_server.ks to /tmp/idm_install/tomcat.ks...
keytool error: java.io.FileNotFoundException: /tmp/idm_install/SSL CertificateDNS_server.ks (No such file or directory)
Importing keystore /tmp/idm_install/SSL CertificateDNS_server.ks to /tmp/idm_install/tomcat.ks...
keytool error: java.io.FileNotFoundException: /tmp/idm_install/SSL CertificateDNS_server.ks (No such file or directory)
2019-03-11 08:20:04+02:00 : Import recaptcha public key certificate into keystore.


Connection to identity vault is ok as it says in the /var/opt/netiq/idm/log/idmconfigure.log:


2019-03-11 08:16:15+02:00 : Verifying Identity Vault connection parameters..
Verifying Identity Vault connection parameters..
[INFO]: Connecting to server on port 636...
[INFO]: Successfully connected to the server
2019-03-11 08:16:16+02:00 : Connection successful
Connection successful


Also in the log I can see the creation of /opt/netiq/idm/apps/tomcat/conf/idm.jks and /opt/netiq/idm/apps/osp/osp.jks is a success.

But other errors / warnings in the idmconfigure.log are


2019-03-11 08:18:48+02:00 : Importing ldif file: /tmp/idm_install/ua_ldif/base_containers.ldif
Importing ldif file: /tmp/idm_install/ua_ldif/base_containers.ldif
[INFO]: Connecting to server on port 636...
[INFO]: Successfully connected to the server
[INFO]: Adding entry ...
[INFO]: Successfully updated...
[INFO]: ---
[INFO]: Adding entry ...
[WARNING]: NDS error: syntax violation (-613)
[INFO]: ---
[INFO]: Adding entry ...
[INFO]: Successfully updated...
[INFO]: ---
[INFO]: Adding entry ...
[INFO]: Successfully updated...
[INFO]: ---
[INFO]: Adding entry ...
[INFO]: Successfully updated...
[INFO]: ---
[INFO]: Modifying entry ...
[WARNING]: NDS error: no such entry (-601)
[INFO]: ---
[INFO]: Modifying entry ...
[WARNING]: NDS error: no such entry (-601)
[INFO]: ---
[INFO]: Modifying entry ...
[WARNING]: NDS error: no such entry (-601)
[INFO]: ---
[INFO]: Modifying entry ...
[WARNING]: NDS error: syntax violation (-613)
[INFO]: ---



2019-03-11 08:18:57+02:00 : Deploying the Identity Applications drivers. It may take a few minutes...
Deploying the Identity Applications drivers. It may take a few minutes...
SPIException in DesignerHeadless -- 0 , Trying again...
Default Server DN --cn=server,ou=ou,o=org
Invalid GCV document on object 'NOVLACOMSET-GCVs-Prompt': Value for 'UAProvAdmin' contains an invalid character.
Unknown internal ID in version lookup: 4.7.0
Unable to read NAT Mappings file
In constructor if com.novell.soa.logging.impl.log4j.Log4jManager
Info: Exiting
Labels (1)
0 Likes
4 Replies
kuronen Super Contributor.
Super Contributor.

Re: /tmp/idm_install/SSL CertificateDNS_server.ks

Correction: /opt/netiq/idm/apps/osp/osp.jks only contains the private key and is missing any possible idm certs but do not know if it needs to have them? /opt/netiq/idm/apps/tomcat/conf/idm.jks contains idm certificates as well. By idm certificate i mean identity vault root ca.
0 Likes
kuronen Super Contributor.
Super Contributor.

Re: /tmp/idm_install/SSL CertificateDNS_server.ks

I disabled selinux just in case but still when I reinstall and configure I get errors about not being able to create SAML trusted root objects. That was not in the install log file. Here is the console output from configure.sh


Refer log for more information at /var/opt/netiq/idm/log/idmconfigure.log



###############################################################

Configuring : Identity Applications
Mon Mar 11 10:17:14 EET 2019

###############################################################


Verifying installed components...
Creating the Identity Manager keystore.
Importing Identity Vault certificates.
Updating OSP command line configurations in tomcat setenv file
Configuring OSP.
Creating OSP Keystore.
Modifying Tomcat server.xml
chmod: cannot access ‘osp-custom-resource.jar’: No such file or directory
cp: cannot stat ‘/tmp/ospjar/osp-custom-resource.jar’: No such file or directory
cp: cannot stat ‘/tmp/ospjar/osp-custom-resource.jar’: No such file or directory
chmod: cannot access ‘osp.war’: No such file or directory
cp: cannot stat ‘/tmp/ospwar/osp.war’: No such file or directory
Verifying installed components...

Initializing Identity Applications configurations
Importing Identity Vault certificates.
Importing ldif schema
Updating Tomcat configuration
Modifying Tomcat context.xml
Generating master key
Deploying the Identity Applications drivers. It may take a few minutes...
rm: cannot remove ‘/tmp/idm_install/SSL CertificateDNS_server.ks’: No such file or directory
Creating configurations files
Unable to create SAML Trusted Root objects.
Configuring the database. The configuration may take few minutes
Setting up database users and schema...
Verifying installed components...
Importing Identity Vault certificates.

Merging the default Identity Manager settings with the SSPR configuration
Importing SSPR LDIF configurations to Identity Vault

0 Likes
Knowledge Partner
Knowledge Partner

Re: /tmp/idm_install/SSL CertificateDNS_server.ks

kuronen wrote:

>
> Hi there,
>
> I am doing a new install of user application to RHEL 7 with install.sh
> followed by configure.sh and it always fails to import certificates from
> the identity vault to the the tomcat.ks (idm.ks and osp.ks seem to go
> fine though). I can use my own keystore but errors in the install are
> not tolerable. I would appreciate any hints on how to correct the
> issue.
>


I've seen it on every 4.7 install I have performed so far. Don't have a way to
work around this.



--
If you find this post helpful, and are viewing this using the web, please show
your appreciation by clicking on the star below
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Highlighted
kuronen Super Contributor.
Super Contributor.

Re: /tmp/idm_install/SSL CertificateDNS_server.ks

Despite my bold statement I had to tolerate it as well. But it's working now so can add that to the list of undocumented oddities.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.