Highlighted
Knowledge Partner
Knowledge Partner
76 views

iManager 3.1.4 CEF audit with SSL fails

Documentation here:

Enabling CEF Auditing in iManager

Would seem to say that you can do CEF over TCP/SSL with a JKS keystore. You can't, at least as of iManager 3.1.4. You can do CEF over TCP/SSL, but you have to make a pkcs12 keystore.

 

   <appender class="com.novell.imanager.logging.syslog.impl.IManCEFlogAppender" name="CEFSyslog">
    <param name="Facility" value="user"/>
     <!--Uncomment and provide the required ip address and port format: IP address:Port -->
    <param name="syslogHost" value="10.1.1.3:1443"/>
    <param name="syslogProtocol" value="ssl"/>
    <param name="syslogSslKeystoreFile" value="/etc/opt/novell/sentinel.p12"/>
    <param name="syslogSslKeystorePassword" value="changeit"/>
    <param name="Threshold" value="INFO"/>
    <layout class="org.apache.log4j.PatternLayout">
             <param name="ConversionPattern" value="%d{MMM dd yyyy HH:mm:ss} %m%n"/>
    </layout>
   </appender>

 

 

Get your destination's certificate with:

 

openssl s_client -connect 10.1.1.3:1443 -showcerts < /dev/null | openssl x509

 

 

Then import it in to a PKCS12 keystore with:

 

keytool -import -file sentcert.b64 -keystore sentinel.p12 -storepass changeit -storetype PKCS12 -alias sentinel

 

 

If you try to use a JKS keystore, catalina.out shows this:

 

Initializing Syslog Appender...
Syslog Protocol -->ssl, Syslog Host --> 10.1.1.3:1443
Error while configuring Syslog Appender, DerInputStream.getLength(): lengthTag=109, too big.

 

 

Apparently the underlying Java (?) libraries now assume you are using PKCS12 keystores, whether you are or not. There is supposed to be a way to tell them that it is a JKS format keystore, but there doesn't seem to be any way to get Tomcat to do that, at least not that I've found. If you feed a JKS keystore to code expecting PKCS12, you get "DerInputStream too big" errors.

Feature? Bug? I don't know. Somebody should probably fix this.

Labels (1)
0 Likes
1 Reply
Knowledge Partner
Knowledge Partner

Re: iManager 3.1.4 CEF audit with SSL fails

Credit to the posts here:
Java APNS Certificate Error with “DerInputStream.getLength(): lengthTag=109, too big.
for pointing out JKS -> PKCS12 conversion may help with this error.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.