Environment
NMAS Kerberos Method
Novell Key Distribution Center NKDC
Novell iManager 2.5
Novell iManager 2.6
Novell iManager 2.7
Novell Key Distribution Center NKDC
Novell iManager 2.5
Novell iManager 2.6
Novell iManager 2.7
Situation
Kerberos plug-in tasks return an authentication failed error.
Resolution
Verify that LDAP is listening on the secure port. By default this is port 636. Make sure that you can bind to the secure port with an LDAP browser or ICE.
Use the DSTRACE (ndstrace on Linux) utility to view LDAP trace information and see what error is being returned.
If the error states that the CA is unknown you will need to import the trusted root certificate from eDirectory into the tomcat/java keystore.
Steps on NetWare:
Make sure the LDAP Server object for the server is properly linked to an SSL Certificate.
Type TCKEYGEN at the server console.
Steps on Linux:
Export the trusted root certificate for the server to .der format.
Place the .der file on the Linux server.
Type the following command at the Linux server console, replace the location of your .der file and servername:
keytool -import -file /root/certificate.der -keystore /etc/opt/novell/java/security/cacerts -alias servername
Type changeit for the password and yes to trust certificate
Restart tomcat by typing:
/etc/init.d/novell-tomcat4 restart
or for iManager 2.7:
/etc/init.d/novell-tomcat5 restart
Note: The location of the keystore will vary by platform. For example on an OES2 server the keystore file will be located at /usr/lib/jvm/java-1_5_0-ibm_sr5a/jre/lib/security/cacerts. If you do not have a cacerts file in one of these locations you can search for the file and just modify the keystore location in the keytool command line.
Steps on Windows:
Export the trusted root certificate for the server to .der format.
Place the .der file on the Windows server.
Find the location of keytool.exe on the Windows server. It will most likely be in the java jre bin directory. Change to that directory and type the following command at the command prompt, replace the location of your .der file, cacerts file, and servername:
keytool -import -file C:\certificate.der -keystore C:\Program Files\Java\jre1.5.0_06\lib\security\cacerts -alias servername
Type changeit for the password and yes to trust certificate.
Restart the tomcat service.
Steps for iManager Workstation:
Depending on the platform you will use the same commands as listed above. The location of the cacerts file for iManager Workstation will be in the directory path where iManager Workstation is extracted.
Note: The Kerberos plug-ins also require 5 LDAP extensions on the LDAP Server object. To verify that these are present you can look at the properties of the LDAP Server object in ConsoleOne, open the other tab, expand the extensioninfo attribute and open the values to modify. (Be sure to cancel out of these pages so no changes are saved) There should be 5 values that end with krbpwd. They will most likely be the last 5 or near the bottom of the list. If they are not present you need to follow the steps outlined in the Kerberos documentation for adding these extensions to the LDAP Server.
Use the DSTRACE (ndstrace on Linux) utility to view LDAP trace information and see what error is being returned.
If the error states that the CA is unknown you will need to import the trusted root certificate from eDirectory into the tomcat/java keystore.
Steps on NetWare:
Make sure the LDAP Server object for the server is properly linked to an SSL Certificate.
Type TCKEYGEN at the server console.
Steps on Linux:
Export the trusted root certificate for the server to .der format.
Place the .der file on the Linux server.
Type the following command at the Linux server console, replace the location of your .der file and servername:
keytool -import -file /root/certificate.der -keystore /etc/opt/novell/java/security/cacerts -alias servername
Type changeit for the password and yes to trust certificate
Restart tomcat by typing:
/etc/init.d/novell-tomcat4 restart
or for iManager 2.7:
/etc/init.d/novell-tomcat5 restart
Note: The location of the keystore will vary by platform. For example on an OES2 server the keystore file will be located at /usr/lib/jvm/java-1_5_0-ibm_sr5a/jre/lib/security/cacerts. If you do not have a cacerts file in one of these locations you can search for the file and just modify the keystore location in the keytool command line.
Steps on Windows:
Export the trusted root certificate for the server to .der format.
Place the .der file on the Windows server.
Find the location of keytool.exe on the Windows server. It will most likely be in the java jre bin directory. Change to that directory and type the following command at the command prompt, replace the location of your .der file, cacerts file, and servername:
keytool -import -file C:\certificate.der -keystore C:\Program Files\Java\jre1.5.0_06\lib\security\cacerts -alias servername
Type changeit for the password and yes to trust certificate.
Restart the tomcat service.
Steps for iManager Workstation:
Depending on the platform you will use the same commands as listed above. The location of the cacerts file for iManager Workstation will be in the directory path where iManager Workstation is extracted.
Note: The Kerberos plug-ins also require 5 LDAP extensions on the LDAP Server object. To verify that these are present you can look at the properties of the LDAP Server object in ConsoleOne, open the other tab, expand the extensioninfo attribute and open the values to modify. (Be sure to cancel out of these pages so no changes are saved) There should be 5 values that end with krbpwd. They will most likely be the last 5 or near the bottom of the list. If they are not present you need to follow the steps outlined in the Kerberos documentation for adding these extensions to the LDAP Server.
Additional Information
The Kerberos snap-ins require a secure LDAP connection to the server. If a secure login to LDAP cannot be established the plug-ins will fail.
The following are some suggestions for ensuring that your server is configured to allow secure LDAP connections from iManager.
Formerly known as TID# 10098955
The following are some suggestions for ensuring that your server is configured to allow secure LDAP connections from iManager.
Formerly known as TID# 10098955