Howto uninstall and reinstall SSLVPN services on the Linux Access Gateway

  • 3272160
  • 10-Oct-2007
  • 26-Apr-2012


Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 SSLVPN Server


SSLVPN installation during the Linux Access Gateway install failed. The installation logs for SSLVPN indicate that the required certificates were not created. SSLVPN will not function from this point on.


When an administrator installs the Linux Access Gateway, the sslvpn rpms (novl-sslvpn* rpms) get installed by default. Only when the SSLVPN services are automatically enabled via the SSLVPN options at install time, or using the lagconfigure (/chroot/lag/opt/novell/bin directory) shell script, will the SSLVPN device appear in Access Administrator. The script to enable the services will also create the stunnel default certificate and SSLVPN device keystore. Unlike the SSLVPN server coming with the Identity Server CD, there is no uninstall script to remove all the SSLVPN components.

To cleanly remove the SSLVPN server from a Linux Access gateway, the following steps need to be done:

1. stop all SSLVPN services on the LAG using the 'sslvpnc --down' command
2. remove the SSLVPN device from the Access Administrator
3. use rpm -e to remove the novl-sslvpn* packages.

For example, use rpm -qa|grep -i sslvpn to find the package names as shown below:

mylag:~ # rpm -qa|grep -i sslv

Then use the rpm -e to remove each package

rpm -e novl-sslvpn-servlet-3.0.0-100 novl-sslvpn-3.0.0-73

4. On the Access Administration server, run the /opt/novell/devman/bin/ and backup the configuration for emergencies

5. Using an LDAP browser (e.g., browse the configuration store of your Access Manager setup. Make sure that, in the configuration, the secure LDAP connection method is used. Once there, browse to the following container:

* o=novell -> accessManagerContainer -> VCDN_Root -> PartitionsContainer -> Partition -> KeyCOntainer

Locate all certificates starting with SSLVPN. You should look at the RomaCertXMLDoc attribute of each object to make sure that the certificate name is stunnel or the romaKeyStore attribute references the SSLVPN keystore.

Once located, delete all certificates.

* Remove any entries referring to sslvpn in the container o=novell -> accessManagerContainer -> VCDN_Root -> PartitionsContainer ->Partition -> ApplianceContainer

You should now have a completely clean Linux Access Gateway with no reference to the SSLVPN services.

To reinstall SSLVPN services on the Linux Access Gateway, the following will need to be done:

1. copy the novl-sslvpn* packages from the Identity Server CD (nids-agents directory) to the Linux Access Gateway

2. install each of these packages using the rpm -ivh command

mylag:~ # rpm -ivh novl-sslvpn-servlet-3.0.0-100.i586.rpm novl-sslvpn-3.0.0-73.noarch.rpm

3. From a shell on the LAG type the following command for configuring Access Administrator and SSLVPN configuration.

yast2 sp-agent

4. In the YaST screen, Enable Onbox SSLVPN Server, Give Administrator IP, Access Gateway IP and password of Adminstrator and click next until the operation is finished

5. Run the script /chroot/lag/opt/novell/bin/auto_import to import the components. This script reimports both LAG and SSLVPN.

At this stage, you now have the SSLVPN and Access Gateway services up and running.

Additional Information

Should be addressed in SP1.