Cannot import new Identity Server after upgrading Admin Console from Access Manager 3.0 to 3.1

  • 7007215
  • 16-Nov-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 SSLVPN Server
Novell Access Manager 3.1 Java Agents

Situation

Access Manager 3.0.4 running successfully with a single Identity Server and Linux Access Gateway. Due to an issue with expiring certificates, a new certificate was created and manually installed using the TID referenced at https://support.microfocus.com/kb/doc.php?id=7002781&sliceId=1&docTypeID=DT_TID_1_1&dialogID=183908247&stateId=0%200%20183904828.

After upgrading the Admin Console from 3.0.4 to 3.1.2, everything continued to work as expected. Before upgrading the existing Identity Server and Linux Access Gateway server, a new Identity Server on Linux was installed on 3.1.2 for fault tolerance. The install appeared to go through successfully, but no new Identity Server device appeared in the Admin Console.

The install log files from /tmp/novell_access_manager/ directory did not show any install errors. The Identity Server JCC logs at /opt/novell/devman/jcc/logs/ did not show any errors either. The only log file that gave a hint of a problem was the /opt/novell/devman/share/logs/app_sc.0.log file on the Admin Console which indicated that an 'unknown certificate' was received from the Identity Server during the install.

Resolution

Recreate the certificate assigned to the Admininstration Console certificate store so that the Extended KeyUsage attribute is has both client and server attributes. Once done, restart tomcat on the Admin Console server and re-install the Identity Server.

The unknown certificate error in app_sc log file indicated an issue with the SSL handshake. When running the install, a tcpdump can be run on the Identity Server where data is filtered between the Identity Server and Admin Console on TCP 1443. Analysing the trace showed that the Identity Server requests a certificate from the Admin Console during the initial SSL handshake. The Admin Console sends the certificate across but the Identity server responds with an unknwon certificate, generated during the certificate validation stage.

Additional Information

By modifying the RUN_PROPS statement to the /opt/novell/devman/jcc/conf/run.sh file on the Identity Server as follows:

RUN_PROPS="-Djava.util.logging.config.file=${CONF_DIR}/logging.properties -Djava.security.manager -Djava.security.policy=${CONF_DIR}/jcc.policy -Djavax.net.debug=ssl"

it is possible to run this run.sh file to retry the import process. Doing so generates a new log file (/opt/novell/devman/jcc/logs/jcc-run.log) with more details on the SSL handshake. The following entries were visible in the log file that identified the issue:


[5]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth ************* problem!
]
 
During the import process, the Admin Console sends it's certificate over to the Identity Server. This certificate is acting as a client certificate and must state that it is capable of doing so. In the above example, the Identity server tried to validate the incoming certificate andnoticed that the certificate received could not have come from an SSL client. The following log entry was displayed showing the problem.
 
***
http-10.206.16.43-1443-Processor4, SEND TLSv1 ALERT:  fatal, description = certificate_unknown
http-10.206.16.43-1443-Processor4, WRITE: TLSv1 Alert, length = 2
http-10.206.16.43-1443-Processor4, called closeSocket()
http-10.206.16.43-1443-Processor4, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Exte
nded key usage does not permit use for TLS client authentication
http-10.206.16.43-1443-Processor4, called close()