Trusted roots tab when viewed in admin console generates an exception

  • 7008816
  • 15-Jun-2011
  • 26-Apr-2012

Environment

Novell Access Management 3.04
Novell Access Management 3.1 Access Administration

Situation


Situation
After an upgrade from Access Manager 3.04 to 3.1 there was a problem when trying to view the trusted roots.
The problem appears in Admin Console, when they wanted to view the Trusted Root Certificates (Security -> Trusted Roots).
This was not a problem on the Access Manager 3.04 version.

The catalina.out showed the following exception each time the trusted root tab was selected:
Catalina shows following exception:

Novell JClient 1.5.1256-1.5.1277.  Copyright 1999 Novell Inc. All Rights Reserved.
java.lang.NumberFormatException: For input string: ""
 at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
 at java.lang.Long.parseLong(Long.java:431)
 at java.lang.Long.<init>(Long.java:678)
 at org.apache.jsp.jsp.admin.certmgmt.keys_005flist_005finc_jsp._jspService(y:1211)

Resolution

There was an incomplete trusted root object in the config store that caused the exception that was seen in the catalina.out file.

<objectDN
name="ou=ad,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell">

<attribute name="romaCertXMLDoc">

<value>
<romaCert CertName="ad" IsTrustedRoot="true"/>
</value>
</attribute>


Steps to solve the problem :

(a) Make a backup of the config store with the /opt/novell/devman/bin/ambkup.sh script.
(b) From an ldap browser, delete the object :
"ou=ad,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell"

(c) Logout and Login to admin console


To find the incomplete object, we used the xml file that is generated by the amdiagcfg.sh script that is present on the admin console server on the following location:
/opt/novell/devman/bin/ directory.

In there we searched on the keyword: romaCertXMLDoc to see if there where trusted root objects which  incomplete.
If they are incomplete then above the CertXMLDoc you see the objectDN which tells you what object to remove out of the config store. 

In the case of an incomplete object the entry looked like this:
<attribute name="romaCertXMLDoc">

<value>
<romaCert CertName="ad" IsTrustedRoot="true"/>
</value>
</attribute>

Good objects look like below:
<attribute name="romaCertXMLDoc">
<value>
<romaCert CertName="TESTCA" CertStartingValidDate="1164392820000" CertEndingValidDate="1953311013000" Algorithm="4"
Subject="CN=TESTCA, O=TEST, C=NL" CAKey="true" PathLengthCritical="true" PathLength="2147483647"
KeyUsage="1536" IsTrustedRoot="true"
</value>
</attribute>

Note above good entry is just an example and values seen can differ.