SSL handshake failed with eDirectory Driver

  • 3948372
  • 12-Jun-2007
  • 14-Jan-2014

Environment

Novell Identity Manager 3.0.1
Novell eDirectory 8.7.3.9
Novell eDirectory 8.7.3.8

Situation

Errors:
RSA_NICI_PUBLIC_ENCRYPT
error:14098077 14098077 -14098077
SSL_ERROR_SYSCALL
RSA_NICI_PUBLIC_ENCRYPT
SSL handshake failed
After creating certificates with the eDirectory to eDirectory driver using the NDS-to-NDS Driver Certificates wizard the following error messages were received.
SUBSCRIBER SIDE


DirXML Driver for eDirectory
Novell, Inc.


java.io.IOException: SSL handshake failed, SSL_ERROR_SYSCALL, error:14098077:SSL routines:SSL3_SEND_CLIENT_KEY_EXCHANGE:bad rsa encrypt, error:040CC0CC:rsa routines:RSA_NICI_PUBLIC_ENCRYPT:NICI encrypt/decrypt init failed

PUBLISHER SIDE


DirXML Driver for eDirectory
Novell, Inc.


java.io.IOException: SSL handshake failed, SSL_ERROR_SYSCALL

Removing the Certificate from the Authentication field (leaving it blank) on the properties for both drivers allowed the driver to start and then sync, however "Missing decryption key for sensitive data" errors were received during synchronization because the SSL Certificates were not being used. This tells us there is was communication between the servers. The "Missing decryption key for sensitive data" errors are normal when not using Certificates.

Resolution

1. Make sure you are running the current and same eDirectory version on both eDirectory servers running the drivers in both trees (this is not required by IDM, but facilitate troubleshooting since it allows next step).
2. Make sure you are running the current NICI version on both servers (again, IDM supports different versions of NICI on both sides, but since testing is more intensive on the latest versions, this troubleshooting step might be necessary). That is currently found in the Security Services update.
3. Try re-running the NDS-to-NDS Driver Certificates wizard.
If that still fails, here are Three additional options:
1. Launch iManager from the other eDirectory server in the other tree you are synching, then run the NDS-to-NDS Driver Certificates wizard from the other tree.
2. Create the Certificates using Designer for Identity Manager.
3. Create the Certificates Manually with ConsoleOne or iManager. This process is documented in the Novell Documentation for the eDirectory Driver or in KB 3578820 - Manually creatting NDS-toNDS eDirectory Driver Certificates with ConsoleOne.