Environment
Novell Access Management 3 Access Administration
Novell Access Management 3 Linux Novell Identity Server
Novell Access Management 3 Support Pack 2 applied
Situation
Prior to upgrading to Access Manager 3 Support pack 2, the Admin
Console healthcheck showed up all services as green and healthy.
Immediaqtely after upgrading the systems tp SP2, healthcheck errors
were reported on the Admin Console when looking at the IDP server
health. The Admin console shows an SSL related error, but the
certificates all look good. The following is what is shown on
the Admin Console
< exServiceHealth exServiceName="SSL Communication"
exHealthStatus="Failed">
Check SSL connectivity. Possible expired SSL
certificate.
SSL Communication is not operating correctly!
URL: https://idpcorp.novell.com/nidp/app/ping, Error: Connection refused
< exServiceHealth exServiceName="SSL Communication"
exHealthStatus="Failed">
SSL Communication is not operating correctly!
URL: https://idpcorp.novell.com/nidp/app/ping, Error: Connection refused
Resolution
Apply nam3sp2ir1.tar.gz or any build after Support Pack 2.
Access Manager added a new healthcheck feature into SP2 that actually made this problem visible. Since some L4 switches cannot do SSL healthchecks, we ran into several configurations where the heartbeat (configured for HTTP) was successful because it was running on TCP 8080 but the SSL listener on TCP 8443 was dead, The goal of the new healthcheck is to catch the above case where SSL has died, but the healthcheck continues to return success.
If the IDP server does not hear any SSL traffic within a 5 minute interval, the healthcheck code sends a PING to its own SSL listener. If this returns fine then all is good, otherwise it assumes that the SSL listener is down. This TCP ping is done using the baseURL defined for the IDP server. If the IDP server cannot resolve it's own DNS name, we assume that SSL is dead.
Access Manager added a new healthcheck feature into SP2 that actually made this problem visible. Since some L4 switches cannot do SSL healthchecks, we ran into several configurations where the heartbeat (configured for HTTP) was successful because it was running on TCP 8080 but the SSL listener on TCP 8443 was dead, The goal of the new healthcheck is to catch the above case where SSL has died, but the healthcheck continues to return success.
If the IDP server does not hear any SSL traffic within a 5 minute interval, the healthcheck code sends a PING to its own SSL listener. If this returns fine then all is good, otherwise it assumes that the SSL listener is down. This TCP ping is done using the baseURL defined for the IDP server. If the IDP server cannot resolve it's own DNS name, we assume that SSL is dead.