Mac OS keychain file corrupted during SSLVPN connection

  • 7008666
  • 30-May-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 SSLVPN Server
Novell Access Manager 3.1 Support Pack 3 applied
Mac OS 10.x host OS

Situation

Access Manager SSLVPN setup and protected non HTTP applications on an internal network. All users are setup to run with Enterprise (OpenVPN) mode and have no issues accessing the protected applications. One of the users however, running on a Mac OS X platform noticed that the keychain file was corrupted after a failed connection attempt. The user noticed that the SSLVPN client on the Mac performs a copy of the Mac user's keychain file (.login.keychain_novl) as the connection is established.  If the SSLVPN client is interrupted for any reason during this copy, the user's keychain becomes corrupt.  This then breaks lots of things on the user's Mac. 

Resolution

Working as designed in Access Manager 3.1.3 but will be changed for 3.1.4 - the planned changes will be not to backup the keychain file. The backup and restore of this keychain file  is part of the sandbox setup where you have your private caching details hidden ... any passwords or sensitive info specific to that session will not get written to the hosts keychain file to be used at a later date. When you disconnect, the SSLVPN client we will recopy back the main keychain file ie. we copy the /Library/Keychains/login.keychain to /Library/Keychains/.login.keychain just for backup purpose and restore after a disconnect.