ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins. Read more for important details.
ALERT! The community will be read-only starting on April 19, 8am Pacific as the migration begins.Read more for important details.
Absent Member.
Absent Member.
1102 views

unable to get renewed edir-to-edir certificates working

Hi all,

I've been hacking on this for hours and hours.

My subscriber (ldap tree) edir server's edir 2 edir cert expired. I've been working since on getting new certs. No matter what I do, my ldap tree driver says

Driver: \SMITH_TREE\SC\driverset\LDAPToVault
Channel: Subscriber
Status: Retry
Message: Code(-9006) The driver returned a "retry" status indicating that the operation should be retried later. Detail from driver: java.io.IOException: SSL handshake failed, SSL_ERROR_SYSCALL, error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
[02/12/18 18:12:24.552]:LDAPToVault ST:Requesting 30 second retry delay.

I've tried to update them using Designer (but it doesn't seem to be creating the certs in the tree, so that doesn't help)

I've tried to create them in iManager, with I believe recent plugins, but
- from the LDAP side, it doesn't seem to make a difference
- from the vault side, I get this charming error:

Error: Driver Wizard - Error
The following 'Exception' was thrown but not handled.

''Unable to create the certificates. The following error occurred: java.lang.ClassFormatError: com/novell/security/japi/pki/NPKI_Extension''.

It's true that my LDAP tree hasn't been updated to the latest IDM version - my update schedule got hijacked. So it's still running 4.0.x. But if that were the problem, why was it working before the cert expired?

If I use s_client to connect to the servers on port 8192, the certs look clean.

And I did delete the existing certs before trying to regenerate them.

So, other than shooting myself, does anyone have suggestions?

Karla
Not a happy camper
Labels (1)
0 Likes
4 Replies
Absent Member.
Absent Member.

It's about how the certs are attempting to be created....the old ones would have used old methods, etc...

Easiest way I find is:

Tree A = Self Signed Server Cert
Tree B = Create Server Cert to be signed by other CA

Sign Tree B cert from Tree A CA, then import signed cert and CA public cert into Tree B pending request....set driver auth to cert names, and all is good.

Visit my Website for links to Cool Solution articles.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

kborecky wrote:

> So, other than shooting myself, does anyone have suggestions?


I'd use a keystore instead of KMOs, as described at
https://www.netiq.com/documentation/identity-manager-46-drivers/edirectory/data/b96asqi.html#b1f1r8m9


--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
Absent Member.
Absent Member.

lhaeger;2475391 wrote:
kborecky wrote:

I'd use a keystore instead of KMOs, as described at
https://www.netiq.com/documentation/identity-manager-46-drivers/edirectory/data/b96asqi.html#b1f1r8m9


I like the idea of a keystore - why not? thank you!
0 Likes
Admiral
Admiral

As Lothar, I'd suggest the keystore approach.

But that error normally comes when you're trying to use an SSL version
which is not supported - ie. your certificates are minted for SSLv3 and
not TLS.

Are you on IDM 4.0.2 Patch 5 or later, and using an very old version of
iManager - that could be the cause.


Casper



On 13.02.18 00:24, kborecky wrote:
>
> Hi all,
>
> I've been hacking on this for hours and hours.
>
> My subscriber (ldap tree) edir server's edir 2 edir cert expired. I've
> been working since on getting new certs. No matter what I do, my ldap
> tree driver says
>
> Driver: \SMITH_TREE\SC\driverset\LDAPToVault
> Channel: Subscriber
> Status: Retry
> Message: Code(-9006) The driver returned a "retry" status
> indicating that the operation should be retried later. Detail from
> driver: java.io.IOException: SSL handshake failed, SSL_ERROR_SYSCALL,
> error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
> [02/12/18 18:12:24.552]:LDAPToVault ST:Requesting 30 second retry
> delay.
>
> I've tried to update them using Designer (but it doesn't seem to be
> creating the certs in the tree, so that doesn't help)
>
> I've tried to create them in iManager, with I believe recent plugins,
> but
> - from the LDAP side, it doesn't seem to make a difference
> - from the vault side, I get this charming error:
>
> Error: Driver Wizard - Error
> The following 'Exception' was thrown but not handled.
>
> ''Unable to create the certificates. The following error occurred:
> java.lang.ClassFormatError:
> com/novell/security/japi/pki/NPKI_Extension''.
>
> It's true that my LDAP tree hasn't been updated to the latest IDM
> version - my update schedule got hijacked. So it's still running 4.0.x.
> But if that were the problem, why was it working before the cert
> expired?
>
> If I use s_client to connect to the servers on port 8192, the certs look
> clean.
>
> And I did delete the existing certs before trying to regenerate them.
>
> So, other than shooting myself, does anyone have suggestions?
>
> Karla
> Not a happy camper
>
>


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.