Environment
Novell Identity Manager
Novell Identity Manager
Situation
DirXML Log Event
-------------------
Thread = Subscriber Channel
Level = error
Message = SSL protocol failure: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
The error message displayed in a trace or in the event log for a driver typically means that the SSL connection failed between the Engine with the driver configuration and the Remote Loader where the driver shim is running. This connection should usually be SSL-enabled to provide security of potentially sensitive data and is required for many configurations when passwords are involved.
Thread = Subscriber Channel
Level = error
Message = SSL protocol failure: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
The error message displayed in a trace or in the event log for a driver typically means that the SSL connection failed between the Engine with the driver configuration and the Remote Loader where the driver shim is running. This connection should usually be SSL-enabled to provide security of potentially sensitive data and is required for many configurations when passwords are involved.
Resolution
The connection between the Engine and the Remote Loader must be
properly configured. For all drivers there is a 'Remote
Loader' configuration line available in either iManager or
Designer. This line typically includes the following
parameters:
hostname=ipAddressOrDNSNameOfServer port=8090
The parameter to configure the SSL between the Remote Loader and the Engine is then added to the end of this as follows:
hostname=ipAddressOrDNSNameOfServer port=8090 kmo='Certificate Short Name'
In this example the name of the certificate (an object of class 'NDSPKI:Key Material') associated with the server hosting the IDM (Identity Manager) engine is 'Certificate Short Name' and must be wrapped accordingly in single quotation marks. The full name of the certificate as shown in iManager or ConsoleOne would look something like the following:
Certificate Short Name - serverName
Via LDAP it may have looked like the following:
cn=Certificate Short Name - serverName,dc=servername,dc=server,dc=system
Keep in mind that only the short name of the certificate is used in the Key Material Object (KMO) parameter within the driver configuration. On the Remote Loader side the exported trusted root certificate from this certificate or the self-signed certificate from the tree CA should be imported per the Novell Identity Manager documentation.
hostname=ipAddressOrDNSNameOfServer port=8090
The parameter to configure the SSL between the Remote Loader and the Engine is then added to the end of this as follows:
hostname=ipAddressOrDNSNameOfServer port=8090 kmo='Certificate Short Name'
In this example the name of the certificate (an object of class 'NDSPKI:Key Material') associated with the server hosting the IDM (Identity Manager) engine is 'Certificate Short Name' and must be wrapped accordingly in single quotation marks. The full name of the certificate as shown in iManager or ConsoleOne would look something like the following:
Certificate Short Name - serverName
Via LDAP it may have looked like the following:
cn=Certificate Short Name - serverName,dc=servername,dc=server,dc=system
Keep in mind that only the short name of the certificate is used in the Key Material Object (KMO) parameter within the driver configuration. On the Remote Loader side the exported trusted root certificate from this certificate or the self-signed certificate from the tree CA should be imported per the Novell Identity Manager documentation.
If either the name of the certificate is specified incorrectly
(lacking quotation marks, for example) or the certificate is
specified on one side of the connection but not the other then this
error may be the result.
This error has also been seen with a connection timeout type issue. Setting handshaketimeout in the connection parameters has been reported to resolve the issue.
handshaketimeout=10000