Password Management Framework (PMF) Troubleshooting Guide

  • 7001450
  • 29-Sep-2008
  • 12-Jun-2012

Environment

Novell Audit
Novell eDirectory
Novell Identity Manager
Novell Modular Authentication Service (NMAS)

Situation

Troubleshooting an issue with NCCD Password Management Framework.

Resolution

Password Management Framework (PMF) Troubleshooting Guide

An operation that triggers a PMF event results in an exception being thrown: “java.lang.UnsatisfiedLinkError: no jlogevnt in java.library.path”

The PMF events can be configured to send Novell Audit events. If Novell Audit events are turned on, this exception can indicate the Novell Audit Platform Agent is not (properly) installed on the server hosting PMF.

Solution:

  • Install the Novell Audit Platform Agent on the server hosting the PMF

Solution:

  • If Novell Audit events aren't needed, you can turn off PMF Novell Audits by either removing each audit event from the configuration section in the pmf-servlet.xml or turning them all off in the config.xml:

        <NotificationEvents>

          <EnableAuditEvents>false</EnableAuditEvents>

        </NotificationEvents>


Message “No account found with the specified user name” on lookup screen

The PMF uses the PmfAnonmous, PmfProxy, and Help-Desk user's directory right's for lookups. This message can occur when the PMF does not have the proper rights to view the users' directory. One technique to narrow down the possibilities is to use a regular ldap browser and authenticate to the directory using the various users and seeing if the desired user(s) show up.

This message can also occur when the SearchBase configuration in the config.xml file is set to a location other then where the user's are actually located.

Solution:

  • Check PMF rights.

  • Check configuration in the PMF config.xml file

      Sample config.xml snippet:

        <LdapConfiguration>

        <SearchBase>ou=users,o=utopia</SearchBase>

        </LdapConfiguration>


Error “No trusted certificate found” or “Error creating SSL connection” in PMF log file

The keystore/certificate used by the PMF must be located on the webserver's classpath.

Solution: If the PMF works using the following, then the certificate is valid and the next step is to troubleshoot the machine's invalid classpath.

  • Configure the PMF to use the specific keystore/certificate located at the precise file location

      Sample config.xml snippet:

        <LdapConfiguration>

        <ServerCertificate>/PMF_TREE_CERT.der</ServerCertificate>

        </LdapConfiguration>

      Sample config.xml snippet:

        <LdapConfiguration>

        <Keystore>/cacert</Keystore>

        <KeystorePassword>changeit</KeystorePassword>

        </LdapConfiguration>


Error “Invalid RSA modulus size”

JDK1.4 can't cope with keys bigger than 2048. The latest installations of eDirectory have Certificate Authorities that default to 4096 (modulus bits).

Solution: Recreate the certificate authority

  • In eDirectory, delete the existing default certificate authority object

  • In eDirectory, delete the existing default certificates

  • In iManager, goto the “Novell Certificate Server” role and choose the “Configure Certificate Authority” task

    • Name the certificate authority the “{tree name} CA”

    • Choose the custom option

      • Keep defaults and click Next

      • Keep defaults and click Next

      • Keep defaults and click Next

      • Click Finish

  • In iManager, go to the “Novell Certificate Server” role and choose the “Create Default Certificates” task

    • Keep defaults and click Next

    • Click Finish

Password policy tasks not showing up in iManager

In order to configure the password policies and challenge sets, the password policy tasks must be used from iManager. If these are not showing up, it may be due to an improper installation.

Solution: Update iManager with password policy tasks

  • In iManager, log in as a user with administrative rights

  • Select the “Configure” tab

  • Choose the “iManager Server” role

    • Choose the “Configure iManager” task

    • Select the “Plug-in Download” tab

    • Choose “Show every available Novell Plug-in Module (NPM)”

  • Choose the “Plug-in Installation” role

    • Choose the “pwpolicy” module

    • Choose the “SharedContentV1” module

    • Choose the “DirXMLCommon” module

    • Click Install

  • In ICE, import the “C:\Novell\NDS\nsimpm.sch” schema file


Greater than 30 second delay when changing password via PMF

When trying to change a password, the user experiences a 30 second delay before control is returned to the browser. When PMF fires an event to LogEvent.jar, it looks for the presence of lcache. If lcache is not running, it will make an attempt to spawn an lcache process.

Solution:

  • The first thing to check is that lcache is running

    • It may be necessary to load lcache independently of LogEvent.jar. Hence an lcache script was created. KB 3115818 documents this script. The one thing that is not documented in the TID is the fact that the customer needs to go to /etc/init.d/rc3.d and /etc/init.d/rc5.d and create a symlink from those directories that point back to the script at /etc/init.d/novell-lcache. Then they need to test it and make sure that lcache is running properly.

  • The second issue to check is that logevent.conf is configured properly

    • Ensure that the logevent.conf file is configured to point at the actual Nsure Audit Server (SLS)

    • One last (specific) issue to check is that the LogCachePort is configured in the logevent.cfg file.

    • The entry will exist in the logevent.conf file by default, but will be commented. Make sure to explicitly add this value (either uncomment, or copy to the bottom of the file). The Reason: Earlier versions of lcache used port 288 by default. This was changed to port 1288. The Platform Agent libraries were also coded to use port 288 by default, but may not have been updated. Use netstat to verify the port used by lcache, then set the LogCachePort value to be the same.

    • Additional Technical Notes: The Audit Platform Agent attempts to store any event it receives with lcache, so ANY AUDIT EVENT will experience the same problem.


NDS error: invalid context (-670) - “Expiring a user's password prevents the reading of that user's attributes or changing that user's password”

On eDirectory 8.8, when trying to read a user's attributes or change a user's password after expiring that user's password, an NDS -670 error is returned.

Solution:

  • Apply eDirectory 8.8 SP1 or later

Solution:

  • Remove the “NDSD_TRY_NMASLOGIN_FIRST=true” setting


When a user clicks submit on the Forgotten Password's enter user id page, it hangs for a long time and eventually (could be 20 minutes or more) returns control to the “enter id” page as if nothing had happened.

  • The eDirectory dstrace +NMAS trace log indicates an SSL error.

  • Normal password operations operates correctly.

  • Enrolling challenges/responses operates correctly.

  • NMAS Error -1681 in PMF log.

    This is indicative that the NMAS libraries bundled with PMF are unable to establish an SSL connection by not finding the certificate in the keystore. The NMAS libraries require the keystore where the certificate is installed to be on the classpath. Note that this is a different operation then the LDAP SSL connection used for password authentication.

Solution:

  • Verify PMF's rights to the local file system.

    • This is more common on Linux servers as they stress user access to the file system.

    • One way to verify this is the issue is to install Tomcat on a standard Windows workstation that isn't locked down, add the existing pmf.war, and rerun the test using a browser pointed at the local PMF.

      • If it works, the problem is likely file access rights.

      • Note that firewall rules and other factors could prohibit the workstation access to the ldap server, so a failure to work doesn't necessarily mean it's not a rights issue.

    • If the PMF application doesn't have the proper file system access to the classpath's Java Keystore, it will be unable to write out the ldap server's certificate to the local keystore.

Solution:

  • Manually add the server certificate to the proper keystore on the machine.

    • It is possible that the PMF is unable to write the ldap server's certificate to the keystore.

    • Use the proper certificate from the LDAP server. The wrong certificate is the same as no certificate.


When a user clicks submit on the Forgotten Password's enter user id page, it hangs for a long time and eventually (could be 20 minutes or more) returns control to the “enter id” page as if nothing had happened.

  • The eDirectory dstrace +NMAS trace log indicates an SSL error.

  • Normal password operations operates correctly.

  • Enrolling challenges/responses operates correctly.

  • Using the IBM JRE.

Solution:

  • Add the sunjce_provider.jar file to the pmf.war's ../WEB-INF/lib directory and restart the webserver.

    • The NMAS libraries are dependent on the “com.sun.net.ssl.internal.ssl.Provider” SSL provider and don't seem to be compatible with the “com.ibm.jsse.IBMJSSEProvider” provider.


During a forgotten password operation, PMF reports that the user's challenge/response are not configured even after challenge/response enrollment has been completed

Check the PMF log file for the debug message “NMASCompletionCallback status =-2063990785”. If found, this is indicative that the “Challenge and Response” login method hasn't been installed in eDirectory

Solution:

  • Obtain the Challenge and Response login method and install into eDirectory. This can be done using the NMAS role in iManager. The “Challenge and Response” login method can usually be found at download.novell.com in the latest NMAS installation download.

Check the eDirectory NMAS Trace for a debug message like “NMAS: 35: [CR] XML Parser: Error: -1695 invalid attribute: MinLength value: -1”. If found, this is indicative that the “Challenge and Response” login method has been upgraded from a version prior to October 2007.

The NMAS Login Method introduced more robust validation in 2007 that disallows “-1” as a value for the minimum or maximum length in the Challenge Question Attribute.


Solution:

  • Obtain a Challenge and Response login method that predates October 2007 and install into eDirectory. This can be done using the NMAS role in iManager. The “Challenge and Response” login method can usually be found at download.novell.com in the latest NMAS installation download.

  • Run a conversion tool that will read each user's challenge attribute and use the NMAS APIs ( NMASChallengeResponseMgr.getChallengeQuestions() and NMASChallengeResponseMgr.setChallengeQuestions() ) to replace all MinLength and MaxLength values of “-1” to “1” and “255” respectively. Novell Consulting Custom Development (NCCD) has built a debug version of such a tool called com.novell.nccd.pmf.Convert.jar which is available free of charge. Contact nccd@novell.com if needed.


During authentication, PMF reports that the user's challenge/response are not enrolled even after challenge/response enrollment has been completed

Check the pmf log for the error “-1658”. If found, this is indicative that the NMAS SAS attributes have become corrupt.

Solution:

  • PMF supports a work-around feature that will delete the existing attributes and reset the challenges/responses without the end-user being aware of it. This behaves the same as the rmpwd.exe tool provided by Novell. To enable this feature, add the following snippet to the config.xml file underneath the “<PasswordManager><NmasChallenges>” section. (note to disable the feature, merely remove that from the config.xml):

      <ErrorsToCauseCRDeletion>

        <NmasErrorCode>-1658</NmasErrorCode>

      </ErrorsToCauseCRDeletion>

Captcha does not show properly or a HeadlessException occurs on Linux

This may happen when staring Tomcat / Jboss using a remote console such as putty.

Solution:

  • Set the display for example:

    DISPLAY=0.0;
    export DISPLAY;

  • You may also need to add JVM Option when Jboss or Tomcat Starts

    JAVA_OPTS=”-Djava.awt.headless=true”
    export JAVA_OPTS

  • Make sure the X11 libraries are available

Solution:

  • Disable Captcha:

    See User Registration Configuration in this manual


Exception thrown when PMF fails to send Audit event

When PMF attempts to send an Audit event and the following error is displayed in the tomcat console:

CACHE ERROR>java.lang.NoClassDefFoundError: com/novell/naudit/lcache/LCache

CACHE ERROR>Caused by: java.lang.ClassNotFoundException: com.novell.naudit.lcache.LCache

CACHE ERROR> at java.net.URLClassLoader$1.run(URLClassLoader.java:202)

CACHE ERROR> at java.security.AccessController.doPrivileged(Native Method)

CACHE ERROR> at java.net.URLClassLoader.findClass(URLClassLoader.java:190)

CACHE ERROR> at java.lang.ClassLoader.loadClass(ClassLoader.java:307)

CACHE ERROR> at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)

CACHE ERROR> at java.lang.ClassLoader.loadClass(ClassLoader.java:248)

CACHE ERROR>Could not find the main class: com.novell.naudit.lcache.LCache. Program will exit.

CACHE ERROR>Exception in thread "main"

Solution:

  • Create the folder structure so that the file nproduct.log can be created when enabling "Audit". Otherwise an error will be displayed that says: Error writing to NAudit Log file: /var/opt/novell/naudit/nproduct.log

    This directory does get created when you install the Platform Agent only off the Naudit 2.0.2  media. It only gets created when in install the eDirectory instrumentation. You will see the following message in the catalina.out log file with the /var/opt/novell/naudit/.


Exception thrown when PMF failes to send Audit event

When PMF attempts to send an Audit event and the following error is displayed in the tomcat console:

CACHE ERROR>Exception in thread "main" java.lang.NoClassDefFoundError: com/novell/naudit/lcache/LCache

CACHE ERROR>Caused by: java.lang.ClassNotFoundException: com.novell.naudit.lcache.LCache

CACHE ERROR>at java.net.URLClassLoader$1.run(URLClassLoader.java:217)

CACHE ERROR>at java.security.AccessController.doPrivileged(Native Method)

CACHE ERROR>at java.net.URLClassLoader.findClass(URLClassLoader.java:205)

CACHE ERROR>at java.lang.ClassLoader.loadClass(ClassLoader.java:319)

CACHE ERROR>at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)

CACHE ERROR>at java.lang.ClassLoader.loadClass(ClassLoader.java:264)

CACHE ERROR>at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:332)

Error writing to NAudit Log file: /var/opt/novell/naudit/nproduct.log (No such file or directory)

Thu Dec 10 17:46:23 2009 [jlogevent]: Unable to connect to lcache

Error writing to NAudit Log file: /var/opt/novell/naudit/nproduct.log (No such file or directory)

Solution:

  • Unknown at this time


Navigation links not displaying at top of page

The PMF uses the PmfProxy user's directory right's for this operation. This situation will occur when the appropriate rights to the authenticating user have not been granted to the PmfProxy user.

Solution:

  • Check PMF rights.


Encoding issues while enrolling and using Forgot Password

PMF started using UTF-8 encoding in June 2009. Before that time, if someone used foreign characters during enrollment, those responses would be stored using ASCII equivalent characters. Once UTF-8 encoding was implemented in PMF, these responses would not compare since the characters would be encoded differently. This encoding change is found in web.xml.

Solution:

  • If the user had used foreign characters during enrollment before UTF-8 encoding was being used in PMF, a re-enrollment is required.


Error: error.contextless-login.found-multiple-users and error.crAuthentication.challenges-not-setup “There are multiple accounts with the same user name”

Corruption could exist in eDirectory or the challenges are not setup.

Solution:

  • Run a local dsrepair and make sure there are no errors. i.e. “dsrepair -R”


When a user clicks in various locations inside of PMF, the page would timeout and never appear to complete.

If these locations map to the locations where an Event would normally be configured, “Self-Service Change Password”, “Self-Service Enroll Challenges”, “Service-Center Reset Password”, etc, then it is possible the timeouts are due to the inability of the PMF Audit jars to communicate effectively with the Novell Audit Platform Agent installed on the box, since the platform agent may be stuck due to the platform agent's inability to communicate with the Sentinel Server.

Solution:

  • Check Sentinel Audit and / or Novell Audit Server installations to make sure they are not experiencing an outage of some sort. If they are, this can cause the lcache platform agents to operate in local caching mode. In many instances, restarting the Sentinel Server would allow the audit events to begin processing again. Once that is cleared up, restarting the PMF Web Server and it's related lcache child process would cause the symptoms to go away.


When a user clicks submit on the Forgotten Password's enter user id page, it hangs for a long time and eventually (could be 20 minutes or more) returns control to the “enter id” page as if nothing had happened.

  • The eDirectory dstrace +NMAS trace log indicates an SSL error.

  • User performing “I Forgot My Password” operation.

  • Normal password operations operates correctly.

  • Enrolling challenges/responses operates correctly.

  • Using the IBM JRE.

  • NMAS Error -1681 in PMF log.

    This is indicative that the NMAS libraries bundled with PMF are unable to establish an SSL connection by not finding the certificate in the keystore. The NMAS libraries require the keystore where the certificate is installed to be on the classpath. Note that this is a different operation then the LDAP SSL connection used for password authentication.

Solution:

  • Verify PMF's rights to the local file system.

    • This is more common on Linux servers as they stress user access to the file system.

    • One way to verify this is the issue is to install Tomcat on a standard Windows workstation that isn't locked down, add the existing pmf.war, and rerun the test using a browser pointed at the local PMF.

      • If it works, the problem is likely file access rights.

      • Note that firewall rules and other factors could prohibit the workstation access to the ldap server, so a failure to work doesn't necessarily mean it's not a rights issue.

    • If the PMF application doesn't have the proper file system access to the classpath's Java Keystore, it will be unable to write out the ldap server's certificate to the local keystore.

Solution:

  • Manually add the server certificate to the proper keystore on the machine.

    • It is possible that the PMF is unable to write the ldap server's certificate to the keystore.

    • Use the proper certificate from the ldap server. The wrong certificate is the same as no certificate.

Solution:

  • Add the sunjce_provider.jar file to the pmf.war's ../WEB-INF/lib directory and restart the webserver.

    • The NMAS libraries are dependent on the “com.sun.net.ssl.internal.ssl.Provider” SSL provider and don't seem to be compatible with the “com.ibm.jsse.IBMJSSEProvider” provider.


When a new version of PMF is rolled out, updated changes don't seem to reflect in the web pages.

  • You're using WebSphere.

    WebSphere caches classes (including JSP servlets). If behavior isn't updating on some pages, it's possible that it's because WebSphere hasn't detected updated server side code.

Solution:


Recreating expired/invalid server certificates.

  • Server certificates are expired or invalid.

Solution:

  • Open iManager and select the Roles tab.

    • Select the “Novell Certificate Access” side tab

      • Select “Server Certificates” side tab.

        • Select all certificates listed & click “validate” button.

        • Delete all expired/invalid certificates.

      • Select “Novell Certificate Server” side tab.

        • Create Default Certificates.

          • Browse to Server object.

          • Keep default settings & click Next.

          • Click Finish.

  • Reboot the eDirectory host to flush the old cached certificates.