Environment
Novell ZENworks 10 Configuration Management with Support Pack 2 - 10.2
Situation
This issue only affects ZCM 10.2 and earlier. See documentation for 10.3, since alt-servers-properties is not used in 10.3 as ZCC allows >1 connection.
In ZENworks 10.2 and earlier, when port 636 is in use, failover to alt-servers.properties second and subsequent LDAP servers fails due to server certificate errors.
Resolution
This is fixed in version 10 .3 - see KB 7005455 "ZENworks Configuration Management SP3 (10.3) - update information and list of fixes" which can be found at https://www.novell.com/support
For 10.2,The steps below allow for the manual import of the subsequent LDAP server certificates into the keystore.
However, the keystore is overwritten on restart so the steps will need to be repeated after a restart, or scripted.
eDirectory Environment:
- Export the Certificate of the LDAP Source to '.der' format
Launch ConsoleOne, select the Certificate whose Key pair name is "SSL CertificateDNS" . e.g., SSL CertificateDNS-SERVERNAME
Right click on it > Properties and navigate through the "Certificates" tab > Export (select this option) into 'DER' format. (Don't export the private key).
Export both the Trusted Root Certificate & Public Key Certificate.
Make a note of the Subject Name for each of the certificates. Use this as an "alias" while importing this certificate to ldap-ssl-certs key store .
E.g., If the Subject of the Certificate is: OU=Organizational CA.O=POLICY-TREE ,
then use alias as: o=policy-tree, ou=organizational ca - Copy the file to the ZCM server and convert it into '.PEM' format.
Use the openssl command:
openssl x509 -in myfile.der -inform DER -outform PEM -out myfile.pem - Take the back up of the original "ldap-ssl-certs" file in case it is necessary to revert back to the original file.
- Use this command to import:
./keytool -import -v -noprompt -trustcacerts -alias
cn=blr-srm-r5f,o=policy-tree -file TrustedRootCertR5F.pem -keystore /var/opt/novell/zenworks/datamodel/ldap-ssl-certs
Please note that itis necessary to give 'alias' as the Subject of the Certificate.
E.g., Alias name: cn=blr-srm-r5f, o=policy-tree .
The "import " command will ask for "KeyStore Password" , which must be given as "foo ". If a password is not supplied, it may throw a "NULL pointer exception ".
After the above steps are complete, it shoujld be possible to see the list of certificates in the keystore using the command shown below, to verify whether the things are in place. The store must be imported with the CA Certificate as well.
./keytool -list -v -keystore /var/opt/novell/zenworks/datamodel/ldap-ssl-certs
Before you can perform all the above steps, you can check the existing store using 'list' command to see if the CA Cert is already existing.
"Keytool " can be used to import the certificates of each Domain Controller in AD environments.
NOTE:
1. It is necessary to import the certs directly into the existing keystore. Before this is done, take a back up of the original keystore.
2. The keystore is set to the password "foo " programmatically in the Data model code.
1. It is necessary to import the certs directly into the existing keystore. Before this is done, take a back up of the original keystore.
2. The keystore is set to the password "foo " programmatically in the Data model code.
3. It is not possible to import the alt-server certificates with the "foo " password (because of a keytool limitation regarding the password length).So this requires at least one "delete" operation to be done on the keystore with the password "foo ". If this is done, it is possible import any number of certificates to the existing keystore.
4. Re-start only the ZEN Server service - not the loader service.
4. Re-start only the ZEN Server service - not the loader service.
Active Directory Environment:
- Click Start > Control Panel > Administrative Tools > Certificate Authority to open the CA Microsoft® Management Console (MMC) GUI.
- Highlight the CA machine (AD-Server) and expand it to see the following:
Revoked Certificates, Issued Certificates, Pending Requests ...etc., - Click on Issued Certificates and check for a Valid Certificate whose Certificate Template is "Domain Controller (Domain Controller) "
- Click on that Certificate.
- Select the Details view, and click the "Copy to File.... " button on the lower-right corner of the window. Take a note of "Subject " of the Certificate.
- Use the Certificate Export Wizard to save the CA certificate in a file.
NOTE:
It is possible to save the CA certificate in either DER Encoded Binary X-509 format or Based-64 Encoded X-509 format.
It is possible to save the CA certificate in either DER Encoded Binary X-509 format or Based-64 Encoded X-509 format.
Export to DER Encoded Binary X-509 format (.CER file) and copy it to the ZCM server.
Convert it into .PEM format using the command:
openssl x509 -in ADServerCert.cer -inform DER -outform PEM -out ADServerCert.pem
openssl x509 -in ADServerCert.cer -inform DER -outform PEM -out ADServerCert.pem
Then it can be imported to the ldap-ssl-certs store using:
./keytool -import -v -noprompt -trustcacerts -alias cn=systst-zen-50.ad.labs.blr.novell.com -file ADServerCert.pem -keystore /var/opt/novell/zenworks/datamodel/ldap-ssl-certs