frankabhinav Super Contributor.
Super Contributor.
868 views

PUM driver

I am trying to configure for PUM UserGroup (UG) defines a users' membership who get's privileged access on the servers.

Followed configuration is done on iManager:-

Driver module
JAVA : com.netiq.nds.dirxml.driver.pum.PUMDriverShim

Application Authentication

ID: admin
connection information:192.168.1.xxxx


When i trace the log

[12/15/17 19:21:11.631]:pam.log ST:PUM Driver: PUMInterface.OpenPUMConnection(): Connecting to the PUM server
[12/15/17 19:21:11.636]:pam.log ST:PUM Driver: PUMInterface.openPUMConnection() :: Failed to establish connection with PUM server
[12/15/17 19:21:11.637]:pam.log ST:SubscriptionShim.execute() returned:
[12/15/17 19:21:11.638]:pam.log ST:
<nds dtdversion="2.0" ndsversion="8.x">
<source>
<product build="201408010455" instance="PUM Driver" version="4.0.2.1">Identity Manager Driver for Privileged User Manager</pro
duct>
<contact>NetIQ Corporation</contact>
</source>
<output>
<status event-id="query-driver-ident" level="retry">SubShim.execute(): Not connected to PUM server.</status>
</output>
</nds>
[12/15/17 19:21:11.641]:pam.log ST:Requesting 30 second retry delay.


That is why i don't see Roles and Resources > Configure Roles and Resources Settings >Role/Resource Catalog . list for entitlement selection.

I dont know if i have to put https://192.168.1.xxxx in connection information or some other configuration i'm missing
0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: PUM driver

We would probably need to see the full IDM driver config startup trace,
without redacting IP addresses (they're private anyway so they are
meaningless to anybody but you), in order to help.

The PUM driver config documentation shows just an IP or DNS name, so
presumably what you said you entered should be fine:

https://www.netiq.com/documentation/privileged-account-manager-3/npum_driver/data/bez2t2y.html

The connection failure happens immediately, so I would probably make sure
that you have the right address in there, and that you are able, from the
IDM engine where you ran this, to make the connection to the PUM machine.

If everything seems right, perhaps watch for new connections going out
from the IDM engine machine to see where they are trying to go and how the
network, including the target system, responds to those. An easy way to
do this is with tcpdump on the IDM engine box:


sudo /usr/sbin/tcpdump -n -s 0 -i any host 192.168.1.xxx #fill in the IP


You should see any traffic that involves the host mentioned there on the
screen, and while you will not have a lot of details, you probably do not
need much to at least ensure packets are flowing. If that shows data, but
you still see a failure in trace, then we probably need to get higher
trace level (trace level five (5) is a good start per the documentation)
and then write the tcpdump output to a file for us to review:


sudo /usr/sbin/tcpdump -n -s 0 -i any -v -w /tmp/pam.cap host 192.168.1.xxx



--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
frankabhinav Super Contributor.
Super Contributor.

Re: PUM driver

Thanks AB!

After diagnosis, we found that driver trying to connect with PUM on 443 but without SSL.

Tue Dec 19 19:34:36 2017, 624, 3884312320, 2229, Info, Error (5) accepting SSL connection from 192.168.1.197
Tue Dec 19 19:34:36 2017, 624, 3884312320, 2229, Info, SSL_accept: error syscall 0
Tue Dec 19 19:34:36 2017, 625, 4011161344, 2229, Info, Error (5) accepting SSL connection from 192.168.1.197
Tue Dec 19 19:34:36 2017, 625, 4011161344, 2229, Info, SSL_accept: error syscall 0
Tue Dec 19 19:34:38 2017, 471, 4011161344, 2229, Info, Error (1) accepting SSL connection from 192.168.1.113
Tue Dec 19 19:34:38 2017, 471, 4011161344, 2229, Warning, SSL_accept: error ssl
Tue Dec 19 19:34:38 2017, 471, 4011161344, 2229, Info, SSL Error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared ciph
er


Can you please help me to identify the followings
- Which SSL cert to import in driver from PUM server?
- Which connection parameter to be used to specify the imported certificate file?
- Where to import SSL cert from PUM server?

Thanks for your response.
0 Likes
Knowledge Partner
Knowledge Partner

Re: PUM driver

On 12/19/2017 07:14 AM, frankabhinav wrote:
>
> After diagnosis, we found that driver trying to connect with PUM on 443
> but without SSL.


The documentation states that HTTPS is the only mechanism used, so it
would seem that IDM is at least trying TLS/SSL, though a LAN trace to
verify that would be nice.

https://www.netiq.com/documentation/privileged-account-manager-3/npum_driver/data/bu7c0qs.html#bueow4x

Also having the trace from the shim (Remote Loader (RL) usually) may help
us see exactly what is going wrong; the shim has levels up to five (5) so
going up that high may get us something useful.

> Can you please help me to identify the followings
> - Which SSL cert to import in driver from PUM server?
> - Which connection parameter to be used to specify the imported
> certificate file?
> - Where to import SSL cert from PUM server?


Maybe you have already grabbed IDM traces, or LAN/wire traces, and that is
why you think there is a TLS/SSL trust issue. If that is the case, some
driver configs have places where you can point to a PEM or truststore
object specific to that particular shim, which is nice, but I do not see
that in the documentation here. Instead you can import the Certificate
Authority (CA) certificate for the PAM/PUM system into the 'cacerts' file
(default JRE truststore) used by IDM. This exists at
/opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts by
default, and as its path my imply this is owned by the IDM packages, so
anytime you upgrade the engine or RL you will need to be sure your
certificate is still in there.

It is typically best to import CA certificates, but I do not know if your
PAM/PUM system actually has a valid CA, or if it is just using a
self-signed certificate for its HTTPS connection. If so, that self-signed
certificate could be used too, though that means anytime you change that
out for anything else you will break the driver's connection, so be sure
you are ready to import the appropriate CA to the IDM side whenever you do
that.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.