Access Manager Device Manager / JCC certificates expired causing all NAM services to stop working

  • Document ID:7002781
  • Creation Date:20-Mar-2009
  • Modified Date:24-Oct-2019
    • Micro Focus Products:
      Access Manager (NAM)

Environment

  • NetIQ Access Manager
  • NetIQ Access manager admin console

Situation

  • All Novell Access Manager (NAM) services stopped working at a specific date.
  • The Health status from within iManager for all configured devices returns:"Server is not reporting"
  • running the: "/etc/init.d/novell-jcc status"init script for the configured devices returns:"unused"
  • restarting the JCC client "/etc/init.d/novell-jcc start" service fails on all devices


Resolution

  • This issue has been addressed with any post Novell Access Manager 3.0 Service Pack 4  release

    • In order to fix the JCC certificate expire problem
    • OS platforms hosting NAM services need to be set back to 15 days before the JCC certificates expire
      (disable NTP to avoid the time will automatically be re-adjusted)
    • Novell Access Manager Service Pack 4 needs to be installed on all devices beginning at the Access Manager Console Server (AC)
    • restart the Access Manager Console service ("etc/init.d/novell-tomcat restart") and wait for about 30 minutes
    • Set the time and date back to current
    • restart all devices


  • It is as well possible to fix the JCC Access Manager Console Java keystore (JKS) manually

    • the AC JCC keystore file is located at: "/var/opt/novell/novlwww/devman.keystore"

    • the required password can be found by running:
      "grep devman /opt/novell/nam/adminconsole/conf/server.xml"

      <Connector NIDP_Name="devman" port="8444" maxThreads="200" minSpareThreads="5" enableLookups="false" acceptCount="100" scheme="https" secure="true" disableUploadTimeout="true" URIEncoding="utf-8" clientAuth="true" sslProtocol="TLSv1.2" sslImplementationName="com.novell.socket.DevManSSLImplementation" keystoreFile="/var/opt/novell/novlwww/devman.keystore" keystorePass="705DAC262E019DEB" SSLEnabled="true" address="147.2.92.100" sslEnabledProtocols="SSLv2Hello,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" />

    • use iManager  => Admin => Manage Tasks => Certificate Access => Server Certificates and create a new  Custom Certificate called for example "devman-custom"
      • Organizational certificate authority
      • Key type: Unspecified
      • Disable "Enable extended key usage"
      • subject "cn=[hostname].ou=accessManager.o=novell".
        Example: "CN=nam40.OU=accessManager.O=novell"
      • delete any Subject Alternative Name
      • SHA256
      • Validity period Maximum

    • export the new certificate (including private key) into a PKCS#12

    • create a backup copy of the existing "devman.keystore"

    • in order to edit the "devman.keystore" file with the Keytull UI you have to add the file extension JKS
      (Example: devman.keystore.jks)

    • rename the alias name from "tomcat" to "tomcatold"

    • import the exported PKCS#12 envelope created with iManager into the "devman.keystore" and assign the alias name "tomcat" to it

    • copy the new "devman.keystore" back the ""/var/opt/novell/novlwww/" directory and restart the Access Manager console ("/etc/init.d/novell-tomcat restart)

Additional Information

Troubleshooting
  • Review the "/opt/novell/devman/jcc/logs/jcc-0.log.0" and check if it contains the following error:
    -------------------------------------------------------------------------------------------------------------------------------------------------
    Mar 19, 2009 1:53:12 PM com.novell.jcc.util.JCCUtils logSevere
    SEVERE: AM#100702009: Error sending alert ID#: 1 from idp-8BD356ED07F074CF to 192.168.1.13
    com.novell.jcc.client.AlertDispatcher$_A$_B run
    java.security.cert.CertificateExpiredException: NotAfter: Wed Feb 18 16:06:57 GMT 2009
    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Wed Feb 18 16:06:57 GMT 2009
    -------------------------------------------------------------------------------------------------------------------------------------------------
  • Use the following OpenSSL command to review the provided certificate:

    echo | openssl s_client -connect 10.2.92.100:8444 2>/dev/null | openssl x509 -noout -issuer -subject -dates
    issuer= /OU=Organizational CA/O=nam40_tree
    subject= /CN=nam40/OU=accessManager/O=novell
    notBefore=Oct 23 12:30:00 2019 GMT
    notAfter=Feb  3 23:58:00 2036 GMT
Tools
  • iManager with Certificate Server snap-in (installed with recent versions of NAM)
  • KeytoolUI or KeySore Explorer in order to edit a JAVA Key Sore (JKS)
  • OpenSSL s_client in order to review certificates provided during the SSL handshake
  • Device Manager Service (devman) is listening on port "8444" on the Access Manager Console
  • The JCC Service on each node listens on port 1443
  • JCC runs SSL Mutual Authentication which means whoever initiates the communication channel as a client will be requested to provide a certificate