CertKeyImport Command Failed after upgrade from 3.04 to 3.1.

  • 7003507
  • 11-Jun-2009
  • 26-Apr-2012


Novell Access Manager 3 Linux Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Access Administration


Upgrade has been done from Access Manager 3.04 to Access Manager 3.1
When a connector certificate is replaced a restart of tomcat is needed.
For example the certificate tight to the base URL of the IDP.
This is handled by a POSTUPDATE command which did not got changed during the upgrade.
Now this is still pointing to tomcat4.
The app_sc.o log on the Administration Console shows the following:
Response from the device , deviceName ::idp-xxxxxxxxxx  command ::CertKeyImport errCode :127 result::CertKeyImport Command Failed.

The JCC log on the IDP showed the following:
INFO: Executing /bin/bash -c "/etc/init.d/novell-tomcat4 restart"
INFO: Error! Return code: 127


Reported this as a bug to engineering

Workarounds are:
1.  When replacing the connector certificate don't restart Tomcat
automatically.  This will force the post update commands to not be run, but
will require a manual restart of Tomcat on the IDP server.

2.  Re-install the device instead of upgrade the device.  This will put new
post update commands in the keystore_info.xml file which will point to the
correct tomcat.

Additional Information

This is only seen when replacing connector certificates which require a restart of tomcat so not all certificate operations will show this error.
The key thing to look for is the errors in the app_sc.0.log file and the JCC log file on the IDP.