Highlighted
aitcrajesh
New Member.
544 views

Error (5) accepting SSL connection

Hi There,

I am using PAM3.5 and AM 4.4 where my pam is installed on a centos machine.

Now I have configured my PAM inside AM but when I'm launching my SSH java file from PAM console. It is showing me the following error in unifid.log.

URL:https://pam.ciit.in/pam/?sso=1

Thu Apr 25 15:07:36 2019, 811, 1148057344, 15060, Info, SSL_accept: error syscall 0
Thu Apr 25 15:07:36 2019, 811, 1173063424, 15060, Info, Error (5) accepting SSL connection from 192.168.1.237
Thu Apr 25 15:07:36 2019, 811, 1173063424, 15060, Info, SSL_accept: error syscall 0
Thu Apr 25 15:07:37 2019, 887, 1173063424, 15060, Warning, Peer certificate [CN = nri-tz-arclog] has expired:
Wed Oct 17 07:55:36 2018
Thu Apr 25 15:07:37 2019, 887, 1173063424, 15060, Warning, Peer certificate [CN = nri-tz-arclog] has expired:
Wed Oct 17 07:55:36 2018
Thu Apr 25 15:07:37 2019, 891, 1173063424, 15060, Error, Peer verification error for nri-tz-arclog(192.168.1.2
35) accessing registry.modQuery unable to get local issuer certificate
Thu Apr 25 15:07:37 2019, 898, 1173063424, 15060, Warning, Invalid peer certificate unable to verify the first c
ertificate
Thu Apr 25 15:07:37 2019, 900, 1173063424, 15060, Error, No service registration record for nri-tz-arclog:gUSrRXEV2/rryCngNJdOdLC8pQ0=<192.168.1.235>


- How do I put AM cert inside PAM

Please help me out, guys.
0 Likes
5 Replies
Micro Focus Contributor
Micro Focus Contributor

Re: Error (5) accepting SSL connection

On 25.04.19 12:36, aitcrajesh wrote:
>
> Hi There,
>
> I am using PAM3.5 and AM 4.4 where my pam is installed on a centos
> machine.
>
> Now I have configured my PAM inside AM but when I'm launching my SSH
> java file from PAM console. It is showing me the following error in
> unifid.log.
>
> URL:https://pam.ciit.in/pam/?sso=1
>
>
> Code:
> --------------------
> Thu Apr 25 15:07:36 2019, 811, 1148057344, 15060, Info, SSL_accept: error syscall 0
> Thu Apr 25 15:07:36 2019, 811, 1173063424, 15060, Info, Error (5) accepting SSL connection from 192.168.1.237
> Thu Apr 25 15:07:36 2019, 811, 1173063424, 15060, Info, SSL_accept: error syscall 0
> Thu Apr 25 15:07:37 2019, 887, 1173063424, 15060, Warning, Peer certificate [CN = nri-tz-arclog] has expired:
> Wed Oct 17 07:55:36 2018
> Thu Apr 25 15:07:37 2019, 887, 1173063424, 15060, Warning, Peer certificate [CN = nri-tz-arclog] has expired:
> Wed Oct 17 07:55:36 2018
> Thu Apr 25 15:07:37 2019, 891, 1173063424, 15060, Error, Peer verification error for nri-tz-arclog(192.168.1.2
> 35) accessing registry.modQuery unable to get local issuer certificate
> Thu Apr 25 15:07:37 2019, 898, 1173063424, 15060, Warning, Invalid peer certificate unable to verify the first c
> ertificate
> Thu Apr 25 15:07:37 2019, 900, 1173063424, 15060, Error, No service registration record for nri-tz-arclog:gUSrRXEV2/rryCngNJdOdLC8pQ0=<192.168.1.235>
> --------------------
>
>
> - How do I put AM cert inside PAM
>
> Please help me out, guys.
>
>


You'd get more info from the client.log:

Modify /opt/netiq/pam/config/config.xml:

<Unifi db_sync="1" service_name="npum">
<Log level="info" file="logs/unifid.log" max_size="10"/>
<ClientLog level="debug" file="logs/client.log" max_size="10"/>
<Worker min="5" smax="20" hmax="60" ttl="60" stacksize="1048576"
guardsize="0"/>
<Handler base="service/local">
<Engine type="dso" lib="spf_dso"/>
<Engine type="perl" lib="spf_perl"/>
</Handler>
<SSL b.changed="1" i.reneg_dos_protection="0"/>
</Unifi>


Then have a look at the client.log and it will probably give you more
information about what it going wrong.



Casper
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Error (5) accepting SSL connection

I suspect that the "nri-tz-arclog" Agent has fallen out of registration with the PAM Manager. Please verify registration, see if Agent appears in Hosts Console, if it is found to be offline, etc. Try re-registering the Agent with the same name, etc. to Manager.

If there is trouble in registering the Agent, then the following resource should help:
https://support.microfocus.com/kb/doc.php?id=7017967
0 Likes
aitcrajesh
New Member.

Re: Error (5) accepting SSL connection

tdharris;2499016 wrote:
I suspect that the "nri-tz-arclog" Agent has fallen out of registration with the PAM Manager. Please verify registration, see if Agent appears in Hosts Console, if it is found to be offline, etc. Try re-registering the Agent with the same name, etc. to Manager.

If there is trouble in registering the Agent, then the following resource should help:
https://support.microfocus.com/kb/doc.php?id=7017967


Hi tdharris,

We have configured SSH/telnet from credential vault. We have not installed any PAM agent on it.

Note: We have done Access Manager SSO in this. Is that the cause because when I'm launching SSH/telnet from PAM/myaccess itis working but when launching from SSH/telnet from PAM/myaccess via access manager SSO then it is shows me error for unable to launch.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Error (5) accepting SSL connection

Then as cpedersen suggested, enabling the client log may help identify an issue in the connection:
https://support.microfocus.com/kb/doc.php?id=7021106
0 Likes
Micro Focus Contributor
Micro Focus Contributor

Re: Error (5) accepting SSL connection

On 30.04.19 23:54, tdharris wrote:
>
> Then as cpedersen suggested, enabling the client log may help identify
> an issue in the connection:
> https://support.microfocus.com/kb/doc.php?id=7021106
>
>


Hi Tyler,

Thanks for the link to the TID.


Casper
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.