Highlighted
regoli Absent Member.
Absent Member.
2723 views

NW SBS 6.5 Lost SSL, Apache, iManager, GW Messenger: KMO SS

OK, as it happens, SSL certificates expire and you only discover them after a reboot! (I wish there was an easier way to keep up on this, but alas I have to re-learn certificate management every time it happens!)

(In all examples below, I've masked out the IP address of my server with xx.xx.xx.x and the hostname, where it appears, with myserverFQDN)

We have a Netware SBS 6.5 / SP 5 server, eDirectory 8.7.3.7, with GroupWise 7. After this week's reboot, I lost the following services:

iManager
Secure access to Remote Manager (although I can get there via port 81 without security: http://xxx.xx.xx.xx:81/)
GroupWise (Instant) Messenger
GroupWise WebAccess
Apache
And access to various GroupWise web-based monitors (Post office on port 7181, GWIA on port 9850, MTA on port 7180), etc.

On the console, is this telling error:

--------

HTTPSTK: Error 10022 enabling SSL services - SSL Disabled.
HTTPSTK: ListeningThread() on xxx.xx.xx.x:8009 Exiting after Error
--------

and this:

--------

LDAP connectivity not found on ldap://localhost:636
Please load NLDAP and then manually execute command: sys:/tomcat/4/bin/startup


If your server host certificates have change recently, executing
sys:/system/tckeygen.ncf may be needed to restore secure LDAP
connectivity

LDAP connectivity not found on ldap://localhost:636
Please load NLDAP and then manually execute command: sys:/tomcat/4/bin/startup
-config sys:/adminsrv/conf/admin_tomcat.xml

If your server host certificates have change recently, executing
sys:/system/tckeygen.ncf may be needed to restore secure LDAP
connectivity

--------

Apache is not/can not run (TCPCON confirms silence on ports 80,
389, 524, 443, 636, 8008, 8009.)


I ran PKIDIAG on the console, with in the "fix" mode, and it reports:

---------------------------------------------------------------------------
PKIDiag 2.78 -- (compiled Jul 18 2005 17:19:11).
(Check the end of the log for the last repair results)
Current Time: Sun Apr 13 17:43:02 2008
User logged-in as: admin.oah.
Fixing mode
Rename and create mode
Rename and create when necessary

--> Server Name = 'THOMAS'
---------------------------------------------------------------------------

Step 1 Verifying the Server's link to the SAS Service Object.
Server 'THOMAS.oah' points to SAS Service object 'SAS Service - THOMAS.oah'
Step 1 succeeded.

Step 2 Verifying the SAS Service Object
SAS Service object 'SAS Service - THOMAS.oah' is backlinked to server 'THOMAS.oah'.
Step 2 succeeded.

Step 3 Verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - THOMAS.oah'.
--->KMO IP AG xxx\.xx\.x\.xx - THOMAS.oah is linked.
--->KMO SSL CertificateIP - THOMAS.oah is linked.
--->KMO DNS AG [myserverFQDN] - THOMAS.oah is linked.
--->KMO SSL CertificateDNS - THOMAS.oah is linked.
--->KMO messenger - THOMAS.oah is linked.
Step 3 succeeded.

Step 4 Verifying the KMOs
---> Testing KMO 'messenger - THOMAS.oah'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'SSL CertificateDNS - THOMAS.oah'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'DNS AG [myserverFQDN] - THOMAS.oah'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'SSL CertificateIP - THOMAS.oah'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.

---> Testing KMO 'IP AG 156\.56\.25\.3 - THOMAS.oah'.
Rights check -- OK.
Back link -- OK.
Private Key -- OK.
Step 4 succeeded.

Step 5 Re-verifying the links to the KMOs
Reading the links for SAS Service object 'SAS Service - THOMAS.oah'.
KMO 'IP AG xxx\.xx\.xx\.xx - THOMAS.oah' is linked.
KMO 'SSL CertificateIP - THOMAS.oah' is linked.
KMO 'DNS AG thomas\.oah\.org - THOMAS.oah' is linked.
KMO 'SSL CertificateDNS - THOMAS.oah' is linked.
KMO 'messenger - THOMAS.oah' is linked.
Step 5 succeeded.

Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 1
--> The default IP address is: xxx.xx.xx.xx
PROBLEM: The KMO SSL CertificateIP has expired.
--> The KMO SSL CertificateIP's IP Address is: xxx.xx.xx.xx.O=.TULIP.
----> The IP addresses match.
Step 6 failed 35323.

Note: Occasionally multiple problems will be solved with a single fix.

Fixable problems found: 1
Problems fixed: 0
Un-fixable problems found: 0


-------------------------------------------------------

I've run this, rebooted, run it again, rebooted. (At first I had LDAP issues, above, and I did run sys:/system/tckeygen.ncf as recommended above, and NLDAP is now running. (I don't get that error anymore.) I've rebooted since this.

I began reading the docs to troubleshoot SSL certs (namely 10094253: Troubleshooting steps for SSL Certificates, Organizational CA, and Certificate Server.), and it turns out the ConsoleOne I've been using day-in/day-out to manage Groupwise, doesn't have the correct snapin to properly create new NDSPI:Key Material objects.

I get the error: "There is no snapin to create this type of object. If you proceed and use the generic object creator,the resuting object may not be usable. Continue? " (I said NO)

Great. pkidiag can't fix this; iManager won't run, and ConsoleOne has no ability to deal with this. (Wow, I wish there was an easier way to more proactively manage certs so they don't bring half your server down.) I would delete the "SSL CertificateIP - THOMAS" that I see at the top of my .ou, but without a reliable way to rebuild/recreate it, I'm a bit gun shy.

Let's remember, too: Prior to our normal Sunday morning weekly reboot, NOTHING has changed on this server. Last week, all was working wonderfully.

I would of course appreciate any ideas! Many thanks... --michael

--
michael regoli
indiana university bloomington
Labels (2)
0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: NW SBS 6.5 Lost SSL, Apache, iManager, GW Messenger: KMO SS

On 14/04/08 regoli wrote:
> I would delete the "SSL CertificateIP - THOMAS" that I see at
> the top of my .ou, but without a reliable way to rebuild/recreate it,
> I'm a bit gun shy.
>


Well that is what you need to do ... it's not working now so there's
nothing to lose. I guess what you coulkd do is move it elsewhere instead
of deleting it.
--
Andrew C Taubman
Novell Support Forums Volunteer SysOp
http://forums.novell.com/
(Sorry, support is not provided via e-mail)

Opinions expressed above are not
necessarily those of Novell Inc.
0 Likes
regoli Absent Member.
Absent Member.

Re: NW SBS 6.5 Lost SSL, Apache, iManager, GW Messenger: KM

And I should therefore TRUST the ConsoleOne to the task, despite the snapin situation?

If not ConsoleOne, then what do I use?

Thanks for the reply! --michael

Andrew C Taubman;1536184 wrote:
On 14/04/08 regoli wrote:
> I would delete the "SSL CertificateIP - THOMAS" that I see at
> the top of my .ou, but without a reliable way to rebuild/recreate it,
> I'm a bit gun shy.
>


Well that is what you need to do ... it's not working now so there's
nothing to lose. I guess what you coulkd do is move it elsewhere instead
of deleting it.
--
Andrew C Taubman
Novell Support Forums Volunteer SysOp
http://forums.novell.com/
(Sorry, support is not provided via e-mail)

Opinions expressed above are not
necessarily those of Novell Inc.
0 Likes
regoli Absent Member.
Absent Member.

Re: NW SBS 6.5 Lost SSL, Apache, iManager, GW Messenger: KM

OK! Had a brain fade--forgot that I could run the Real(tm) ConsoleOne from the server. (Therefore I now have access to all of the certificate snapins that I need. Sorry about that!)

OK, so I followed the troubleshooting steps of creating a certificate via ConsoleOne (at 10094253: Troubleshooting steps for SSL Certificates, Organizational CA, and Certificate Server.). All went well. A test certificate was created.

However, now that I'm running the Real Console One, I have examined my server cert (SSL Certificate IP) and ConsoleOne shows that it's not technically "expired". I click the "Certificates" tab when selecting it, and the "expiration date is April 8, 2016".

This server is in Indiana. We've had our share of timezone shenanigans over the last couple years.

While it looks like Ive got 8 more years to deal with this--can the "expiration date" be trusted? D

Now that I can manipulate SSL certs with my Real ConsoleOne, what do I need to do to resolve this error in PKIDiag?



Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 1
--> The default IP address is: xxx.xx.xx.xx
PROBLEM: The KMO SSL CertificateIP has expired.
--> The KMO SSL CertificateIP's IP Address is: xxx.xx.xx.xx.O=.TULIP.
----> The IP addresses match.
Step 6 failed 35323.


--Michael


Andrew C Taubman;1536184 wrote:
On 14/04/08 regoli wrote:

> I would delete the "SSL CertificateIP - THOMAS" that I see at
> the top of my .ou, but without a reliable way to rebuild/recreate it,
> I'm a bit gun shy.
>


Well that is what you need to do ... it's not working now so there's
nothing to lose. I guess what you coulkd do is move it elsewhere instead
of deleting it.
--
Andrew C Taubman
Novell Support Forums Volunteer SysOp
http://forums.novell.com/
(Sorry, support is not provided via e-mail)

Opinions expressed above are not
necessarily those of Novell Inc.
0 Likes
ataubman Absent Member.
Absent Member.

Re: NW SBS 6.5 Lost SSL, Apache, iManager, GW Messenger: KMO SS

I think you might be looking at two different certs. In any case, as I
said, you need to either delete or move that one referred to by PKDIAG,
then run it again and it will create a new one for you.
--
Andrew C Taubman
Novell Support Forums Volunteer SysOp
http://forums.novell.com/
(Sorry, support is not provided via e-mail)

Opinions expressed above are not
necessarily those of Novell Inc.

Andrew C Taubman (Sorry, support is not provided via e-mail) Opinions expressed above are not necessarily those of Micro Focus.
0 Likes
regoli Absent Member.
Absent Member.

Re: NW SBS 6.5 Lost SSL, Apache, iManager, GW Messenger: KM

Andrew, thanks for the reply. I have deleted "SSL CertificateIP" on the server. I have run PKIDIAG (version 2.78) with the "fixing mode" set to "rename and create" and "re-key" the certificates.

Steps 1 through 5 are successful. Step 6 fails with this error:


Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 1
--> The default IP address is: xxx.xx.xx.xx
PROBLEM: A SSL CertificateIP does not exist
Step 6 failed 35323.

What's next? And thank you! --michael

ataubman;1536245 wrote:
I think you might be looking at two different certs. In any case, as I
said, you need to either delete or move that one referred to by PKDIAG,
then run it again and it will create a new one for you.
--
Andrew C Taubman
Novell Support Forums Volunteer SysOp
http://forums.novell.com/
(Sorry, support is not provided via e-mail)

Opinions expressed above are not
necessarily those of Novell Inc.
0 Likes
regoli Absent Member.
Absent Member.

Re: NW SBS 6.5 Lost SSL, Apache, iManager, GW Messenger: KM

Just a quick note to follow up with a SUCCESS story!

I was able, via ConsoleOne, to recreate the two new certificates ("SSL CertificateDNS" and "SSL CertificateIP"), re-run the LDAP key import script (sys:/system/tckeygen.ncf), and all services are back up and running.

While I still am unable to get any satisfaction from running PKIDIAG--it now passes steps 1 through 5 (as it always has)--it now reports:

Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 1
--> The default IP address is: xxx.xx.xx.xx
--> The KMO SSL CertificateIP's IP Address is: myserver.domain.org
PROBLEM: The IP address in KMO SSL CertificateIP (myserver.domain.org)
does not match the default IP address (xxx.xx.xx.xx).
Step 6 failed 35323.

(Site specific details removed and replaced with italics.)

According to this document (https://secure-support.novell.com/KanisaPlatform/Publishing/680/3640106_f.SAL_Public.html), Novell says to ignore the warning: "The Novell Certificate Server KMO objects will use the "default" address when generating its keys. If the default is changed (typically the first bound address), this error may occur. This should not prevent Netware 6.5 nor its components from installing correctly. Ignore this error and continue on with the installation. (NOTE: When accessing the server via a browser or other client through SSL, you may get a warning that the server does not match the certificate and ask if you want to continue. If you say yes, you will still create a secured connection."

So that's what I'll do.

My thanks for the help here! --michael

regoli;1536482 wrote:
Andrew, thanks for the reply. I have deleted "SSL CertificateIP" on the server. I have run PKIDIAG (version 2.78) with the "fixing mode" set to "rename and create" and "re-key" the certificates.

Steps 1 through 5 are successful. Step 6 fails with this error:


Step 6 Creating IP and DNS Certificates if necessary.
--> Number of Server IP addresses = 1
--> The default IP address is: xxx.xx.xx.xx
PROBLEM: A SSL CertificateIP does not exist
Step 6 failed 35323.

What's next? And thank you! --michael
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.