Environment
Novell Access Management 3 Access Administration
Novell Access Management 3 Linux Access Gateway
Novell Access Management 3 Linux Novell Identity Server
Situation
Administrator installed an Administrator Console and Identity
Server (IDP) on the same host and install was successful.
Adminstrator went into the Administrator Console and defined an IDP
configuration that was then assigned to that server. As soon as
this happened, health check errors were displayed against the user
replica store.
Looking at the catalina.out log files (/var/opt/novell/tomcat4/logs) on the IDP server, the following key details were shown:
Jun 5, 2007 12:41:20 PM com.novell.nidp.logging.NIDPLog trace
FINEST: NIDP TRACE EXCEPTION LOG (Thread: USCreateConnectionThread-f2klly62ddk8):
AuthenticationException: Connection: f2klmobjnm539, Attempting to create InitialDirContext for replica: cashell AD Server
Exception message: "[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece"
LdapCtx.java, Line: 2988, Method: mapErrorCode
LdapCtx.java, Line: 2934, Method: processReturnCode
LdapCtx.java, Line: 2735, Method: processReturnCode
LdapCtx.java, Line: 2649, Method: connect
LdapCtx.java, Line: 290, Method:
LdapCtxFactory.java, Line: 175, Method: getUsingURL
LdapCtxFactory.java, Line: 193, Method: getUsingURLs
LdapCtxFactory.java, Line: 136, Method: getLdapCtxInstance
LdapCtxFactory.java, Line: 66, Method: getInitialContext
NamingManager.java, Line: 662, Method: getInitialContext
InitialContext.java, Line: 243, Method: getDefaultInitCtx
InitialContext.java, Line: 219, Method: init
InitialLdapContext.java, Line: 133, Method:
y, Line: 399, Method:
y, Line: 1065, Method: doOperation
y, Line: 3472, Method: run
Jun 5, 2007 12:41:20 PM com.novell.nidp.logging.NIDPLog trace
FINEST: NIDP TRACE EXCEPTION LOG (Thread: RMI TCP Connection(1)-127.0.0.1):
Attempting to create ldap connections for replica pool with id: PLf2klmm1nm0b2y:f2klmm1nqn02x, Filling deficit #9, Replica Host:ldaps://10.1.10.1, User: cn=PROXY_USER,dc=novell.com
Exception message: "[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece
Looking at the catalina.out log files (/var/opt/novell/tomcat4/logs) on the IDP server, the following key details were shown:
Jun 5, 2007 12:41:20 PM com.novell.nidp.logging.NIDPLog trace
FINEST: NIDP TRACE EXCEPTION LOG (Thread: USCreateConnectionThread-f2klly62ddk8):
AuthenticationException: Connection: f2klmobjnm539, Attempting to create InitialDirContext for replica: cashell AD Server
Exception message: "[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece"
LdapCtx.java, Line: 2988, Method: mapErrorCode
LdapCtx.java, Line: 2934, Method: processReturnCode
LdapCtx.java, Line: 2735, Method: processReturnCode
LdapCtx.java, Line: 2649, Method: connect
LdapCtx.java, Line: 290, Method:
LdapCtxFactory.java, Line: 175, Method: getUsingURL
LdapCtxFactory.java, Line: 193, Method: getUsingURLs
LdapCtxFactory.java, Line: 136, Method: getLdapCtxInstance
LdapCtxFactory.java, Line: 66, Method: getInitialContext
NamingManager.java, Line: 662, Method: getInitialContext
InitialContext.java, Line: 243, Method: getDefaultInitCtx
InitialContext.java, Line: 219, Method: init
InitialLdapContext.java, Line: 133, Method:
y, Line: 399, Method:
y, Line: 1065, Method: doOperation
y, Line: 3472, Method: run
Jun 5, 2007 12:41:20 PM com.novell.nidp.logging.NIDPLog trace
FINEST: NIDP TRACE EXCEPTION LOG (Thread: RMI TCP Connection(1)-127.0.0.1):
Attempting to create ldap connections for replica pool with id: PLf2klmm1nm0b2y:f2klmm1nqn02x, Filling deficit #9, Replica Host:ldaps://10.1.10.1, User: cn=PROXY_USER,dc=novell.com
Exception message: "[LDAP: error code 49 - 80090308: LdapErr: DSID-0C09030F, comment: AcceptSecurityContext error, data 525, vece
Resolution
Two things were required to fix this:
1. import the trusted root certificate from the secure LDAP server and assign it to the nidp-trustore Trusted root store. This will get rid of the security warning
2. the syntax for the proxy user included a novell.com DC. This was incorrect and changed to Novell, the domain controller and not novell.com, the DNS domain.
1. import the trusted root certificate from the secure LDAP server and assign it to the nidp-trustore Trusted root store. This will get rid of the security warning
2. the syntax for the proxy user included a novell.com DC. This was incorrect and changed to Novell, the domain controller and not novell.com, the DNS domain.