Access Manager SSL communication healthcheck fails after upgrading to SP2

  • 3290814
  • 28-Feb-2008
  • 26-Apr-2012


Novell Access Management 3 Access Administration
Novell Access Management 3 Linux Novell Identity Server
Novell Access Management 3 Support Pack 2 applied


Prior to upgrading to Access Manager 3 Support pack 2, the Admin Console healthcheck showed up all services as green and healthy. Immediaqtely after upgrading the systems tp SP2, healthcheck errors were reported on the Admin Console when looking at the IDP server health. The Admin console shows an SSL related error, but the certificates all look good. The following is what is shown on the Admin Console

< exServiceHealth exServiceName="SSL Communication"

Check SSL connectivity. Possible expired SSL certificate.
SSL Communication is not operating correctly!
URL:, Error: Connection refused


Apply nam3sp2ir1.tar.gz or any build after Support Pack 2.

Access Manager added a new healthcheck feature into SP2 that actually made this problem visible. Since some L4 switches cannot do SSL healthchecks, we ran into several configurations where the heartbeat (configured for HTTP) was successful because it was running on TCP 8080 but the SSL listener on TCP 8443 was dead, The goal of the new healthcheck is to catch the above case where SSL has died, but the healthcheck continues to return success.

If the IDP server does not hear any SSL traffic within a 5 minute interval, the healthcheck code sends a PING to its own SSL listener. If this returns fine then all is good, otherwise it assumes that the SSL listener is down. This TCP ping is done using the baseURL defined for the IDP server. If the IDP server cannot resolve it's own DNS name, we assume that SSL is dead.