Identity Manager Error: SSL3_GET_RECORD:wrong version number

  • 7003300
  • 18-May-2009
  • 26-Dec-2018

Environment


Novell Identity Manager
Novell Identity Manager

Situation

DirXML Log Event -------------------
    Thread  = Subscriber Channel
    Level   = error
    Message = SSL protocol failure: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

The error message displayed in a trace or in the event log for a driver typically means that the SSL connection failed between the Engine with the driver configuration and the Remote Loader where the driver shim is running.  This connection should usually be SSL-enabled to provide security of potentially sensitive data and is required for many configurations when passwords are involved.

Resolution

The connection between the Engine and the Remote Loader must be properly configured.  For all drivers there is a 'Remote Loader' configuration line available in either iManager or Designer.  This line typically includes the following parameters:

hostname=ipAddressOrDNSNameOfServer port=8090

The parameter to configure the SSL between the Remote Loader and the Engine is then added to the end of this as follows:

hostname=ipAddressOrDNSNameOfServer port=8090 kmo='Certificate Short Name'

In this example the name of the certificate (an object of class 'NDSPKI:Key Material') associated with the server hosting the IDM (Identity Manager) engine is 'Certificate Short Name' and must be wrapped accordingly in single quotation marks.  The full name of the certificate as shown in iManager or ConsoleOne would look something like the following:

Certificate Short Name - serverName

Via LDAP it may have looked like the following:

cn=Certificate Short Name - serverName,dc=servername,dc=server,dc=system

Keep in mind that only the short name of the certificate is used in the Key Material Object (KMO) parameter within the driver configuration.  On the Remote Loader side the exported trusted root certificate from this certificate or the self-signed certificate from the tree CA should be imported per the Novell Identity Manager documentation.

If either the name of the certificate is specified incorrectly (lacking quotation marks, for example) or the certificate is specified on one side of the connection but not the other then this error may be the result.

This error has also been seen with a connection timeout type issue.   Setting handshaketimeout in the connection parameters has been reported to resolve the issue.
handshaketimeout=10000

Feedback service temporarily unavailable. For content questions or problems, please contact Support.