Environment
Novell eDirectory
Novell Identity Manager
Novell Modular Authentication Service (NMAS)
Situation
Resolution
An operation that triggers a PMF event results in an exception being thrown: âjava.lang.UnsatisfiedLinkError: no jlogevnt in java.library.pathâ
The PMF events can be configured to send Novell Audit events. If Novell Audit events are turned on, this exception can indicate the Novell Audit Platform Agent is not (properly) installed on the server hosting PMF.
Solution:
Install the Novell Audit Platform Agent on the server hosting the PMF
Solution:
If Novell Audit events aren't needed, you can turn off PMF Novell Audits by either removing each audit event from the configuration section in the pmf-servlet.xml or turning them all off in the config.xml:
<NotificationEvents>
<EnableAuditEvents>false</EnableAuditEvents>
</NotificationEvents>
Message âNo account found with the specified user nameâ on lookup screen
The PMF uses the PmfAnonmous, PmfProxy, and Help-Desk user's directory right's for lookups. This message can occur when the PMF does not have the proper rights to view the users' directory. One technique to narrow down the possibilities is to use a regular ldap browser and authenticate to the directory using the various users and seeing if the desired user(s) show up.
This message can also occur when the SearchBase configuration in the config.xml file is set to a location other then where the user's are actually located.
Solution:
Check PMF rights.
Check configuration in the PMF config.xml file
Sample config.xml snippet:
<LdapConfiguration>
<SearchBase>ou=users,o=utopia</SearchBase>
</LdapConfiguration>
Error âNo trusted certificate foundâ or âError creating SSL connectionâ in PMF log file
The keystore/certificate used by the PMF must be located on the webserver's classpath.
Solution: If the PMF works using the following, then the certificate is valid and the next step is to troubleshoot the machine's invalid classpath.
Configure the PMF to use the specific keystore/certificate located at the precise file location
Sample config.xml snippet:
<LdapConfiguration>
<ServerCertificate>/PMF_TREE_CERT.der</ServerCertificate>
</LdapConfiguration>
Sample config.xml snippet:
<LdapConfiguration>
<Keystore>/cacert</Keystore>
<KeystorePassword>changeit</KeystorePassword>
</LdapConfiguration>
Error âInvalid RSA modulus sizeâ
JDK1.4
can't cope with keys bigger than 2048. The latest installations of
eDirectory have Certificate Authorities that default to 4096 (modulus
bits).
Solution: Recreate the certificate authority
In eDirectory, delete the existing default certificate authority object
In eDirectory, delete the existing default certificates
In iManager, goto the âNovell Certificate Serverâ role and choose the âConfigure Certificate Authorityâ task
Name the certificate authority the â{tree name} CAâ
Choose the custom option
Keep defaults and click Next
Keep defaults and click Next
Keep defaults and click Next
Click Finish
In iManager, go to the âNovell Certificate Serverâ role and choose the âCreate Default Certificatesâ task
Keep defaults and click Next
Click Finish
Password policy tasks not showing up in iManager
In order to configure the password policies and challenge sets, the password policy tasks must be used from iManager. If these are not showing up, it may be due to an improper installation.
Solution: Update iManager with password policy tasks
In iManager, log in as a user with administrative rights
Select the âConfigureâ tab
Choose the âiManager Serverâ role
Choose the âConfigure iManagerâ task
Select the âPlug-in Downloadâ tab
Choose âShow every available Novell Plug-in Module (NPM)â
Choose the âPlug-in Installationâ role
Choose the âpwpolicyâ module
Choose the âSharedContentV1â module
Choose the âDirXMLCommonâ module
Click Install
In ICE, import the âC:\Novell\NDS\nsimpm.schâ schema file
Greater than 30 second delay when changing password via PMF
When trying to change a password, the user experiences a 30 second delay before control is returned to the browser. When PMF fires an event to LogEvent.jar, it looks for the presence of lcache. If lcache is not running, it will make an attempt to spawn an lcache process.
Solution:
The first thing to check is that lcache is running
It may be necessary to load lcache independently of LogEvent.jar. Hence an lcache script was created. KB 3115818 documents this script. The one thing that is not documented in the TID is the fact that the customer needs to go to /etc/init.d/rc3.d and /etc/init.d/rc5.d and create a symlink from those directories that point back to the script at /etc/init.d/novell-lcache. Then they need to test it and make sure that lcache is running properly.
The second issue to check is that logevent.conf is configured properly
Ensure that the logevent.conf file is configured to point at the actual Nsure Audit Server (SLS)
One last (specific) issue to check is that the LogCachePort is configured in the logevent.cfg file.
The entry will exist in the logevent.conf file by default, but will be commented. Make sure to explicitly add this value (either uncomment, or copy to the bottom of the file). The Reason: Earlier versions of lcache used port 288 by default. This was changed to port 1288. The Platform Agent libraries were also coded to use port 288 by default, but may not have been updated. Use netstat to verify the port used by lcache, then set the LogCachePort value to be the same.
Additional Technical Notes: The Audit Platform Agent attempts to store any event it receives with lcache, so ANY AUDIT EVENT will experience the same problem.
NDS error: invalid context (-670) - âExpiring a user's password prevents the reading of that user's attributes or changing that user's passwordâ
On eDirectory 8.8, when trying to read a user's attributes or change a user's password after expiring that user's password, an NDS -670 error is returned.
Solution:
Apply eDirectory 8.8 SP1 or later
Solution:
Remove the âNDSD_TRY_NMASLOGIN_FIRST=trueâ setting
When a user clicks submit on the Forgotten Password's enter user id page, it hangs for a long time and eventually (could be 20 minutes or more) returns control to the âenter idâ page as if nothing had happened.
The eDirectory dstrace +NMAS trace log indicates an SSL error.
Normal password operations operates correctly.
Enrolling challenges/responses operates correctly.
NMAS Error -1681 in PMF log.
This is indicative that the NMAS libraries bundled with PMF are unable to establish an SSL connection by not finding the certificate in the keystore. The NMAS libraries require the keystore where the certificate is installed to be on the classpath. Note that this is a different operation then the LDAP SSL connection used for password authentication.
Solution:
Verify PMF's rights to the local file system.
This is more common on Linux servers as they stress user access to the file system.
One way to verify this is the issue is to install Tomcat on a standard Windows workstation that isn't locked down, add the existing pmf.war, and rerun the test using a browser pointed at the local PMF.
If it works, the problem is likely file access rights.
Note that firewall rules and other factors could prohibit the workstation access to the ldap server, so a failure to work doesn't necessarily mean it's not a rights issue.
If the PMF application doesn't have the proper file system access to the classpath's Java Keystore, it will be unable to write out the ldap server's certificate to the local keystore.
Solution:
Manually add the server certificate to the proper keystore on the machine.
It is possible that the PMF is unable to write the ldap server's certificate to the keystore.
Use the proper certificate from the LDAP server. The wrong certificate is the same as no certificate.
When a user clicks submit on the Forgotten Password's enter user id page, it hangs for a long time and eventually (could be 20 minutes or more) returns control to the âenter idâ page as if nothing had happened.
The eDirectory dstrace +NMAS trace log indicates an SSL error.
Normal password operations operates correctly.
Enrolling challenges/responses operates correctly.
Using the IBM JRE.
Solution:
Add the sunjce_provider.jar file to the pmf.war's ../WEB-INF/lib directory and restart the webserver.
The NMAS libraries are dependent on the âcom.sun.net.ssl.internal.ssl.Providerâ SSL provider and don't seem to be compatible with the âcom.ibm.jsse.IBMJSSEProviderâ provider.
During a forgotten password operation, PMF reports that the user's challenge/response are not configured even after challenge/response enrollment has been completed
Check the PMF log file for the debug message âNMASCompletionCallback status =-2063990785â. If found, this is indicative that the âChallenge and Responseâ login method hasn't been installed in eDirectory
Solution:
Obtain the Challenge and Response login method and install into eDirectory. This can be done using the NMAS role in iManager. The âChallenge and Responseâ login method can usually be found at download.novell.com in the latest NMAS installation download.
Check the eDirectory NMAS Trace for a debug message like âNMAS: 35: [CR] XML Parser: Error: -1695 invalid attribute: MinLength value: -1â. If found, this is indicative that the âChallenge and Responseâ login method has been upgraded from a version prior to October 2007.
The NMAS Login Method introduced more robust validation in 2007 that disallows â-1â as a value for the minimum or maximum length in the Challenge Question Attribute.
Solution:
Obtain a Challenge and Response login method that predates October 2007 and install into eDirectory. This can be done using the NMAS role in iManager. The âChallenge and Responseâ login method can usually be found at download.novell.com in the latest NMAS installation download.
Run a conversion tool that will read each user's challenge attribute and use the NMAS APIs ( NMASChallengeResponseMgr.getChallengeQuestions() and NMASChallengeResponseMgr.setChallengeQuestions() ) to replace all MinLength and MaxLength values of â-1â to â1â and â255â respectively. Novell Consulting Custom Development (NCCD) has built a debug version of such a tool called com.novell.nccd.pmf.Convert.jar which is available free of charge. Contact nccd@novell.com if needed.
During authentication, PMF reports that the user's challenge/response are not enrolled even after challenge/response enrollment has been completed
Check the pmf log for the error â-1658â. If found, this is indicative that the NMAS SAS attributes have become corrupt.
Solution:
PMF supports a work-around feature that will delete the existing attributes and reset the challenges/responses without the end-user being aware of it. This behaves the same as the rmpwd.exe tool provided by Novell. To enable this feature, add the following snippet to the config.xml file underneath the â<PasswordManager><NmasChallenges>â section. (note to disable the feature, merely remove that from the config.xml):
<ErrorsToCauseCRDeletion>
<NmasErrorCode>-1658</NmasErrorCode>
</ErrorsToCauseCRDeletion>
Captcha does not show properly or a HeadlessException occurs on Linux
This may happen when staring Tomcat / Jboss using a remote console such as putty.
Solution:
DISPLAY=0.0;
export
DISPLAY;
You may also need to add JVM Option when Jboss or Tomcat Starts
JAVA_OPTS=â-Djava.awt.headless=trueâ
export JAVA_OPTSMake sure the X11 libraries are available
Solution:
Disable Captcha:
See User Registration Configuration in this manual
Exception thrown when PMF fails to send Audit event
When PMF attempts to send an Audit event and the following error is displayed in the tomcat console:
CACHE ERROR>java.lang.NoClassDefFoundError: com/novell/naudit/lcache/LCache
CACHE ERROR>Caused by: java.lang.ClassNotFoundException: com.novell.naudit.lcache.LCache
CACHE ERROR> at java.net.URLClassLoader$1.run(URLClassLoader.java:202)
CACHE ERROR> at java.security.AccessController.doPrivileged(Native Method)
CACHE ERROR> at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
CACHE ERROR> at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
CACHE ERROR> at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:301)
CACHE ERROR> at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
CACHE ERROR>Could not find the main class: com.novell.naudit.lcache.LCache. Program will exit.
CACHE ERROR>Exception in thread "main"
Solution:
Create the folder structure so that the file nproduct.log can be created when enabling "Audit". Otherwise an error will be displayed that says: Error writing to NAudit Log file: /var/opt/novell/naudit/nproduct.log
This directory does get created when you install the Platform Agent only off the Naudit 2.0.2 media. It only gets created when in install the eDirectory instrumentation. You will see the following message in the catalina.out log file with the /var/opt/novell/naudit/.
Exception thrown when PMF failes to send Audit event
When PMF attempts to send an Audit event and the following error is displayed in the tomcat console:
CACHE ERROR>Exception in thread "main" java.lang.NoClassDefFoundError: com/novell/naudit/lcache/LCache
CACHE ERROR>Caused by: java.lang.ClassNotFoundException: com.novell.naudit.lcache.LCache
CACHE ERROR>at java.net.URLClassLoader$1.run(URLClassLoader.java:217)
CACHE ERROR>at java.security.AccessController.doPrivileged(Native Method)
CACHE ERROR>at java.net.URLClassLoader.findClass(URLClassLoader.java:205)
CACHE ERROR>at java.lang.ClassLoader.loadClass(ClassLoader.java:319)
CACHE ERROR>at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:294)
CACHE ERROR>at java.lang.ClassLoader.loadClass(ClassLoader.java:264)
CACHE ERROR>at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:332)
Error writing to NAudit Log file: /var/opt/novell/naudit/nproduct.log (No such file or directory)
Thu Dec 10 17:46:23 2009 [jlogevent]: Unable to connect to lcache
Error writing to NAudit Log file: /var/opt/novell/naudit/nproduct.log (No such file or directory)
Solution:
Unknown at this time
Navigation links not displaying at top of page
The PMF uses the PmfProxy user's directory right's for this operation. This situation will occur when the appropriate rights to the authenticating user have not been granted to the PmfProxy user.
Solution:
Check PMF rights.
Encoding issues while enrolling and using Forgot Password
PMF started using UTF-8 encoding in June 2009. Before that time, if someone used foreign characters during enrollment, those responses would be stored using ASCII equivalent characters. Once UTF-8 encoding was implemented in PMF, these responses would not compare since the characters would be encoded differently. This encoding change is found in web.xml.
Solution:
If the user had used foreign characters during enrollment before UTF-8 encoding was being used in PMF, a re-enrollment is required.
Error: error.contextless-login.found-multiple-users and error.crAuthentication.challenges-not-setup âThere are multiple accounts with the same user nameâ
Corruption could exist in eDirectory or the challenges are not setup.
Solution:
Run a local dsrepair and make sure there are no errors. i.e. âdsrepair -Râ
When a user clicks in various locations inside of PMF, the page would timeout and never appear to complete.
If these locations map to the locations where an Event would normally be configured, âSelf-Service Change Passwordâ, âSelf-Service Enroll Challengesâ, âService-Center Reset Passwordâ, etc, then it is possible the timeouts are due to the inability of the PMF Audit jars to communicate effectively with the Novell Audit Platform Agent installed on the box, since the platform agent may be stuck due to the platform agent's inability to communicate with the Sentinel Server.
Solution:
Check Sentinel Audit and / or Novell Audit Server installations to make sure they are not experiencing an outage of some sort. If they are, this can cause the lcache platform agents to operate in local caching mode. In many instances, restarting the Sentinel Server would allow the audit events to begin processing again. Once that is cleared up, restarting the PMF Web Server and it's related lcache child process would cause the symptoms to go away.
When a user clicks submit on the Forgotten Password's enter user id page, it hangs for a long time and eventually (could be 20 minutes or more) returns control to the âenter idâ page as if nothing had happened.
The eDirectory dstrace +NMAS trace log indicates an SSL error.
User performing âI Forgot My Passwordâ operation.
Normal password operations operates correctly.
Enrolling challenges/responses operates correctly.
Using the IBM JRE.
NMAS Error -1681 in PMF log.
This is indicative that the NMAS libraries bundled with PMF are unable to establish an SSL connection by not finding the certificate in the keystore. The NMAS libraries require the keystore where the certificate is installed to be on the classpath. Note that this is a different operation then the LDAP SSL connection used for password authentication.
Solution:
Verify PMF's rights to the local file system.
This is more common on Linux servers as they stress user access to the file system.
One way to verify this is the issue is to install Tomcat on a standard Windows workstation that isn't locked down, add the existing pmf.war, and rerun the test using a browser pointed at the local PMF.
If it works, the problem is likely file access rights.
Note that firewall rules and other factors could prohibit the workstation access to the ldap server, so a failure to work doesn't necessarily mean it's not a rights issue.
If the PMF application doesn't have the proper file system access to the classpath's Java Keystore, it will be unable to write out the ldap server's certificate to the local keystore.
Solution:
Manually add the server certificate to the proper keystore on the machine.
It is possible that the PMF is unable to write the ldap server's certificate to the keystore.
Use the proper certificate from the ldap server. The wrong certificate is the same as no certificate.
Solution:
Add the sunjce_provider.jar file to the pmf.war's ../WEB-INF/lib directory and restart the webserver.
The NMAS libraries are dependent on the âcom.sun.net.ssl.internal.ssl.Providerâ SSL provider and don't seem to be compatible with the âcom.ibm.jsse.IBMJSSEProviderâ provider.
When a new version of PMF is rolled out, updated changes don't seem to reflect in the web pages.
You're using WebSphere.
WebSphere caches classes (including JSP servlets). If behavior isn't updating on some pages, it's possible that it's because WebSphere hasn't detected updated server side code.
Solution:
Configure WebSphere to reload classes when application files are updated.
Recreating expired/invalid server certificates.
Server certificates are expired or invalid.
Solution:
Open iManager and select the Roles tab.
Select the âNovell Certificate Accessâ side tab
Select âServer Certificatesâ side tab.
Select all certificates listed & click âvalidateâ button.
Delete all expired/invalid certificates.
Select âNovell Certificate Serverâ side tab.
Create Default Certificates.
Browse to Server object.
Keep default settings & click Next.
Click Finish.
Reboot the eDirectory host to flush the old cached certificates.
