Environment
Novell Identity Manager 3.5.1
Novell Identity Manager 3.5Situation
When trying to add a server to an existing driver set or when trying to add a new driver set to a new server, the following errors show in DirXML and the add of the server fails.
DirXML Log Event -------------------
Status: Error
Message: (-9940) An error occurred while unwrapping encryption key for AES: failed, -1418 (0xfffffa76).
DirXML Log Event -------------------
Status: Error
Message: (-9935) An error occurred while attempting to read encryption key for AES: failed,-1418 (0xfffffa76).
DirXML Log Event -------------------
Status: Error
Message: (-9940) An error occurred while unwrapping encryption key for RSA: failed, -1418 (0xfffffa76).
DirXML Log Event -------------------
Status: Error
Message: (-9935) An error occurred while attempting to read encryption key for RSA: failed,-1418 (0xfffffa76).
DirXML Log Event -------------------
Status: Error
Message: (-9993) An error occurred initializing DirXML subsystem 'wire data decryption': failed, -1418 (0xfffffa76).
Status: Error
Message: (-9940) An error occurred while unwrapping encryption key for AES: failed, -1418 (0xfffffa76).
DirXML Log Event -------------------
Status: Error
Message: (-9935) An error occurred while attempting to read encryption key for AES: failed,-1418 (0xfffffa76).
DirXML Log Event -------------------
Status: Error
Message: (-9940) An error occurred while unwrapping encryption key for RSA: failed, -1418 (0xfffffa76).
DirXML Log Event -------------------
Status: Error
Message: (-9935) An error occurred while attempting to read encryption key for RSA: failed,-1418 (0xfffffa76).
DirXML Log Event -------------------
Status: Error
Message: (-9993) An error occurred initializing DirXML subsystem 'wire data decryption': failed, -1418 (0xfffffa76).
Resolution
These errors are reported if the DirXML-ServerKeys attribute value on the pseudoServer object is invalid. This attribute is new to Identity Manager 3.5.
When the DIRXML-ServerKeys attribute is invalid IDM can not function.
When moving a DIB or DIBClone between servers the NICI files which belong to the source server must accompany the DIB. (Netware: sys:\system\nici; Windows: windows\system32\novell\nici; Linux: /var/novell/nici)
To solve the problem, contact Novell Customer support so that they can use the utility DSDump to remove thehidden attribute (the attribute value on the pseudoServer cannot be seen using iMonitor). IDM will then regenerate the key. Also, do not try to use DXCMD to regenerate the DirXML keys because this will core eDirectory.
In the case of a DIBClone, ensure the NICI files from the source server are copied to the destination server before starting eDirectory on the destination server. If practical in terms of time and DIB size, redo the DIBClone process; delete the NCP Server object for the DIBCloned server and create a new DIBClone.
- The assumption is that under some circumstances the attribute is invalid due to the DIBClone process
- The problem will occur when using NICI files which do not belong to the DIB
When the DIRXML-ServerKeys attribute is invalid IDM can not function.
When moving a DIB or DIBClone between servers the NICI files which belong to the source server must accompany the DIB. (Netware: sys:\system\nici; Windows: windows\system32\novell\nici; Linux: /var/novell/nici)
To solve the problem, contact Novell Customer support so that they can use the utility DSDump to remove thehidden attribute (the attribute value on the pseudoServer cannot be seen using iMonitor). IDM will then regenerate the key. Also, do not try to use DXCMD to regenerate the DirXML keys because this will core eDirectory.
In the case of a DIBClone, ensure the NICI files from the source server are copied to the destination server before starting eDirectory on the destination server. If practical in terms of time and DIB size, redo the DIBClone process; delete the NCP Server object for the DIBCloned server and create a new DIBClone.
This problem has been reported to development.