Anonymous_User Absent Member.
Absent Member.
235 views

Audit Connector SSL error since upgrading to 7.1.1.0_1158

Hello
Yesterday I upgraded my lab environment (before doing it IRL at clients).

I noticed I'm not getting any events from my eDirectory/IDM/NMAS
collectors since then.

I'm not sure why this is happening.
Do I need to restart lcache/eDir when upgrading Sentinel?

Checking the /var/opt/novell/naudit/nproduct.log on the IDM server I see
this:

***************************************************************************
Fri Nov 29 17:29:08 2013 [Novell Audit Platform Agent]: LCache could not
process event for the application Modular Authentication Service.
Reconnecting LCache Again.
Fri Nov 29 17:29:08 2013 [Novell Audit Platform Agent]: LCache could not
process event for the application Modular Authentication Service.
Reconnecting LCache Again.
Fri Nov 29 17:29:08 2013 [Novell Audit Platform Agent]: ACK Failure for nmas
Fri Nov 29 17:29:08 2013 [Novell Audit Platform Agent]: Attempting to
re-establish connection to secure log server for application Modular
Authentication Service.
Fri Nov 29 17:29:08 2013 [Novell Audit Platform Agent]: Server reports
logging protocol version: 4
Fri Nov 29 17:29:08 2013 [Novell Audit Platform Agent]: Failed SSL Handshake
Fri Nov 29 17:29:08 2013 [Novell Audit Platform Agent]: Authentication
Failure
Fri Nov 29 17:30:12 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:30:17 2013 [SLSConnection.authenticate()]: [INFO] SLS
reports logging protocol version (4)^M
Fri Nov 29 17:30:17 2013 [jlcache/MonitorCache]: Exception while
preparing to send data to server: Received fatal alert:
certificate_unknown^M
Fri Nov 29 17:30:17 2013 [SLSConnection.authenticate()]: [INFO] SLS
reports logging protocol version (4)^M
Fri Nov 29 17:30:17 2013 [jlcache/MonitorCache]: Exception while
preparing to send data to server: Received fatal alert:
certificate_unknown^M
Fri Nov 29 17:30:45 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:30:50 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:30:52 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:32:17 2013 [SLSConnection.authenticate()]: [INFO] SLS
reports logging protocol version (4)^M
Fri Nov 29 17:32:17 2013 [jlcache/MonitorCache]: Exception while
preparing to send data to server: Received fatal alert:
certificate_unknown^M
Fri Nov 29 17:32:17 2013 [SLSConnection.authenticate()]: [INFO] SLS
reports logging protocol version (4)^M
Fri Nov 29 17:32:17 2013 [jlcache/MonitorCache]: Exception while
preparing to send data to server: Received fatal alert:
certificate_unknown^M
Fri Nov 29 17:33:12 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:33:45 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:33:50 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:33:52 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:34:17 2013 [SLSConnection.authenticate()]: [INFO] SLS
reports logging protocol version (4)^M
Fri Nov 29 17:34:17 2013 [jlcache/MonitorCache]: Exception while
preparing to send data to server: Received fatal alert:
certificate_unknown^M
Fri Nov 29 17:34:17 2013 [SLSConnection.authenticate()]: [INFO] SLS
reports logging protocol version (4)^M
Fri Nov 29 17:34:17 2013 [jlcache/MonitorCache]: Exception while
preparing to send data to server: Received fatal alert:
certificate_unknown^M
Fri Nov 29 17:36:12 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:36:17 2013 [SLSConnection.authenticate()]: [INFO] SLS
reports logging protocol version (4)^M
Fri Nov 29 17:36:17 2013 [jlcache/MonitorCache]: Exception while
preparing to send data to server: Received fatal alert:
certificate_unknown^M
Fri Nov 29 17:36:17 2013 [SLSConnection.authenticate()]: [INFO] SLS
reports logging protocol version (4)^M
Fri Nov 29 17:36:17 2013 [jlcache/MonitorCache]: Exception while
preparing to send data to server: Received fatal alert:
certificate_unknown^M
Fri Nov 29 17:36:45 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:36:50 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:36:52 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:37:12 2013 [Novell Audit Platform Agent]: LCache could not
process event for the application eDirInst. Reconnecting LCache Again.
Fri Nov 29 17:37:12 2013 [Novell Audit Platform Agent]: LCache could not
process event for the application eDirInst. Reconnecting LCache Again.
Fri Nov 29 17:37:12 2013 [Novell Audit Platform Agent]: ACK Failure for
LDAPEvents
Fri Nov 29 17:37:12 2013 [Novell Audit Platform Agent]: Attempting to
re-establish connection to secure log server for application eDirInst.
Fri Nov 29 17:37:12 2013 [Novell Audit Platform Agent]: Server reports
logging protocol version: 4
Fri Nov 29 17:37:12 2013 [Novell Audit Platform Agent]: LCache could not
process event for the application Modular Authentication Service.
Reconnecting LCache Again.
Fri Nov 29 17:37:12 2013 [Novell Audit Platform Agent]: LCache could not
process event for the application Modular Authentication Service.
Reconnecting LCache Again.
Fri Nov 29 17:37:12 2013 [Novell Audit Platform Agent]: ACK Failure for nmas
Fri Nov 29 17:37:12 2013 [Novell Audit Platform Agent]: Attempting to
re-establish connection to secure log server for application Modular
Authentication Service.
Fri Nov 29 17:37:12 2013 [Novell Audit Platform Agent]: Failed SSL Handshake
Fri Nov 29 17:37:12 2013 [Novell Audit Platform Agent]: Authentication
Failure
Fri Nov 29 17:37:12 2013 [Novell Audit Platform Agent]: Server reports
logging protocol version: 4
Fri Nov 29 17:37:12 2013 [Novell Audit Platform Agent]: Failed SSL Handshake
Fri Nov 29 17:37:12 2013 [Novell Audit Platform Agent]: Authentication
Failure
Fri Nov 29 17:38:17 2013 [SLSConnection.authenticate()]: [INFO] SLS
reports logging protocol version (4)^M
Fri Nov 29 17:38:17 2013 [jlcache/MonitorCache]: Exception while
preparing to send data to server: Received fatal alert:
certificate_unknown^M
Fri Nov 29 17:38:17 2013 [SLSConnection.authenticate()]: [INFO] SLS
reports logging protocol version (4)^M
Fri Nov 29 17:38:17 2013 [jlcache/MonitorCache]: Exception while
preparing to send data to server: Received fatal alert:
certificate_unknown^M
Fri Nov 29 17:39:12 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:39:45 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:39:50 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:39:52 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:40:17 2013 [SLSConnection.authenticate()]: [INFO] SLS
reports logging protocol version (4)^M
Fri Nov 29 17:40:17 2013 [jlcache/MonitorCache]: Exception while
preparing to send data to server: Received fatal alert:
certificate_unknown^M
Fri Nov 29 17:40:17 2013 [SLSConnection.authenticate()]: [INFO] SLS
reports logging protocol version (4)^M
Fri Nov 29 17:40:17 2013 [jlcache/MonitorCache]: Exception while
preparing to send data to server: Received fatal alert:
certificate_unknown^M
Fri Nov 29 17:42:12 2013 [jlcache]: SocketTimeoutException with client:
DirXML^M
Fri Nov 29 17:42:17 2013 [SLSConnection.authenticate()]: [INFO] SLS
reports logging protocol version (4)^M
Fri Nov 29 17:42:17 2013 [jlcache/MonitorCache]: Exception while
preparing to send data to server: Received fatal alert:
certificate_unknown^M
Fri Nov 29 17:42:17 2013 [SLSConnection.authenticate()]: [INFO] SLS
reports logging protocol version (4)^M
Fri Nov 29 17:42:17 2013 [jlcache/MonitorCache]: Exception while
preparing to send data to server: Received fatal alert:
certificate_unknown^M
***********************************************************************

If I check the server0.0.log on the Sentinel server I see this:

***********************************************************************
Fri Nov 29 17:38:18 CET
2013|SEVERE|Thread-326473|esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.sendClient
; Exception java.security.cert.CertificateException:
Certificates does not conform to algorithm constraints;
javax.net.ssl.SSLHandshakeException; ; Caused by Certificates does not
conform to algorithm constraints; java.security.cert.CertificateException;
Fri Nov 29 17:38:18 CET
2013|SEVERE|Thread-326473|esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.sendClient
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Certificates does not conform
to algorithm constraints
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at
sun.security.ssl.ServerHandshaker.clientCertificate(Unknown Source)
at
sun.security.ssl.ServerHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown
Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown
Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at java.io.DataOutputStream.write(Unknown Source)
at
esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.sendClient(DeviceSensorAuditListener.java:949)
at
esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.handle_LE_CMD_STARTTLS(DeviceSensorAuditListener.java:666)
at
esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.performHandShake(DeviceSensorAuditListener.java:607)
at
esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.run(DeviceSensorAuditListener.java:462)
Caused by: java.security.cert.CertificateException: Certificates
does not conform to algorithm constraints
at
sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(Unknown
Source)
at
sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(Unknown Source)
at
sun.security.ssl.AbstractTrustManagerWrapper.checkClientTrusted(Unknown
Source)
... 14 more
*****************************************************************************

0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Audit Connector SSL error since upgrading to 7.1.1.0_1158

Give this a shot:

Make a backup of your java.security file under
/opt/novell/sentinel/jre/lib/security like this:

Code:
--------------------
cp -a /opt/novell/sentinel/jre/lib/security/java.security
/opt/novell/sentinel/jre/lib/security/java.security.orig
--------------------

Next modify the original file to comment out this line:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

Restart the Sentinel server to see if that works. As a note, this is just
one one server, and this setting probably needs to be applied on all of
the Collector Manager (CM) machines in case the main server is not the one
doing Audit connector functionality. Here's a command to make the file
change for you:

Code:
--------------------
sed -i 's/^jdk.certpath.disabledAlgorithms=MD2, RSA keySize <
1024/#jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024/'
/opt/novell/sentinel/jre/lib/security/java.security
--------------------

On my system the error messages stopped after doing this and restarting
the appropriate service.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Audit Connector SSL error since upgrading to 7.1.1.0_1158

On 2013-11-29 18:39, ab wrote:
> Give this a shot:
>
> Make a backup of your java.security file under
> /opt/novell/sentinel/jre/lib/security like this:
>
> Code:
> --------------------
> cp -a /opt/novell/sentinel/jre/lib/security/java.security
> /opt/novell/sentinel/jre/lib/security/java.security.orig
> --------------------
>
> Next modify the original file to comment out this line:
>
> jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
>
> Restart the Sentinel server to see if that works. As a note, this is just
> one one server, and this setting probably needs to be applied on all of
> the Collector Manager (CM) machines in case the main server is not the one
> doing Audit connector functionality. Here's a command to make the file
> change for you:
>
> Code:
> --------------------
> sed -i 's/^jdk.certpath.disabledAlgorithms=MD2, RSA keySize <
> 1024/#jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024/'
> /opt/novell/sentinel/jre/lib/security/java.security
> --------------------
>
> On my system the error messages stopped after doing this and restarting
> the appropriate service.
>

OK, that helped.
So, who is using that certificate? The audit connector on the Sentinel
or lcache?
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Audit Connector SSL error since upgrading to 7.1.1.0_1158


I too was getting the same errors and used this workaround to resolve
the issue.
bb


--
bbendily
------------------------------------------------------------------------
bbendily's Profile: https://forums.netiq.com/member.php?userid=5001
View this thread: https://forums.netiq.com/showthread.php?t=49345

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Audit Connector SSL error since upgrading to 7.1.1.0_1158

eDirectory 8.8 SP8 Patch 2 was released yesterday and I am told that it
resolves this problem for eDirectory event sources so that the workaround
in Sentinel is not necessary for them.

eDir 8.8 SP8 Patch 2 for Linux (root installs):
https://download.novell.com/Download?buildid=mvIy6f0xgh8~

eDir 8.8 SP8 Patch 2 for Linux (non-root installs):
https://download.novell.com/Download?buildid=w0C5wM3x7Kg~

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Audit Connector SSL error since upgrading to 7.1.1.0_1158

On 2014-05-29 15:16, ab wrote:
> eDirectory 8.8 SP8 Patch 2 was released yesterday and I am told that it
> resolves this problem for eDirectory event sources so that the workaround
> in Sentinel is not necessary for them.
>
> eDir 8.8 SP8 Patch 2 for Linux (root installs):
> https://download.novell.com/Download?buildid=mvIy6f0xgh8~
>
> eDir 8.8 SP8 Patch 2 for Linux (non-root installs):
> https://download.novell.com/Download?buildid=w0C5wM3x7Kg~
>

Hmmm I still had to perform the workaround after eDir 8.8 SP8 Patch 2.
I recently upgraded Sentinel to Version: 7.1.2.0_1218 Date: 2014-05-11
and it reset the java.security file to its default value.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Audit Connector SSL error since upgrading to 7.1.1.0_1158

This is the error:

2014/06/10 23:31:55 | INFO | jvm 1 | Tue Jun 10 23:31:55 CEST
2014|SEVERE|Thread-619|esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.sendClient
2014/06/10 23:31:55 | INFO | jvm 1 | /192.168.0.6:59330:
Error encountered in sendClient(1): javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Certificates does not conform
to algorithm constraints
2014/06/10 23:31:55 | INFO | jvm 1 | Tue Jun 10 23:31:55 CEST
2014|SEVERE|Thread-619|esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.sendClient
2014/06/10 23:31:55 | INFO | jvm 1 | ; Exception
java.security.cert.CertificateException: Certificates does not conform
to algorithm constraints; javax.net.ssl.SSLHandshakeException; ; Caused
by Certificates does not conform to algorithm constraints;
java.security.cert.CertificateException;
2014/06/10 23:31:55 | INFO | jvm 1 | Tue Jun 10 23:31:55 CEST
2014|SEVERE|Thread-619|esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.sendClient
2014/06/10 23:31:55 | INFO | jvm 1 |
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Certificates does not conform
to algorithm constraints
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1675)
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:176)
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.AppOutputStream.write(AppOutputStream.java:136)
2014/06/10 23:31:55 | INFO | jvm 1 | at
java.io.DataOutputStream.write(DataOutputStream.java:88)
2014/06/10 23:31:55 | INFO | jvm 1 | at
esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.sendClient(DeviceSensorAuditListener.java:949)
2014/06/10 23:31:55 | INFO | jvm 1 | at
esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.handle_LE_CMD_STARTTLS(DeviceSensorAuditListener.java:666)
2014/06/10 23:31:55 | INFO | jvm 1 | at
esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.performHandShake(DeviceSensorAuditListener.java:607)
2014/06/10 23:31:55 | INFO | jvm 1 | at
esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.run(DeviceSensorAuditListener.java:462)
2014/06/10 23:31:55 | INFO | jvm 1 | Caused by:
java.security.cert.CertificateException: Certificates does not conform
to algorithm constraints
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:946)
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:872)
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.AbstractTrustManagerWrapper.checkClientTrusted(SSLContextImpl.java:807)
2014/06/10 23:31:55 | INFO | jvm 1 | at
sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1657)
2014/06/10 23:31:55 | INFO | jvm 1 | ... 13 more
2014/06/10 23:31:55 | INFO | jvm 1 |
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.