NetIQ Access Manager Administration Console fails to start

  • Document ID:7009376
  • Creation Date:16-Sep-2011
  • Modified Date:21-Dec-2017
    • Micro Focus Products:
      Access Manager (NAM)

Environment

Novell Access Manager 3.1
NetIQ Access Manager 3.2
NetIQ Access Manager 4.x
 

Situation

  • The login page for the Access Manager Administration console does not show up anymore. A connection cannot be established with https://<ip_address_of_the_IDS>:8443.

  • Restarting tomcat the following pattern can be identified in the"/var/opt/novell/tomcat5/logs/catalina.out" log file:

    Sep 6, 2011 2:39:58 PM org.apache.catalina.core.AprLifecycleListener init
    INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /opt/novell/jdk1.6.0_22/jre/lib/i386/server:/opt/novell/jdk1.6.0_22/jre/lib/i386:/opt/novell/jdk1.6.0_22/jre/../lib/i386:/var/opt/novell/iManager/nps/WEB-INF/bin/linux:/var/opt/novell/iManager/nps/WEB-INF/bin:/opt/novell/iManager/lib:/usr/lib:/opt/novell/lib:/usr/java/packages/lib/i386:/lib:/usr/lib

    constructing a new valve
    Sep 6, 2011 2:39:58 PM org.apache.coyote.http11.Http11BaseProtocol init
    INFO: Initializing Coyote HTTP/1.1 on http-8080

    Devman Trust Manager loaded
    Sep 6, 2011 2:39:58 PM org.apache.coyote.http11.Http11BaseProtocol init
    INFO: Initializing Coyote HTTP/1.1 on http-8444
    NIDP Trust Manager loaded
    Sep 6, 2011 2:39:59 PM org.apache.coyote.http11.Http11BaseProtocol init
    INFO: Initializing Coyote HTTP/1.1 on http-8443
    NIDP Trust Manager loaded
    Sep 6, 2011 2:39:59 PM org.apache.coyote.http11.Http11BaseProtocol init
    INFO: Initializing Coyote HTTP/1.1 on http-8445
    NIDP Trust Manager loaded
    Sep 6, 2011 2:39:59 PM org.apache.coyote.http11.Http11BaseProtocol init
    INFO: Initializing Coyote HTTP/1.1 on http-8446
    Sep 6, 2011 2:39:59 PM org.apache.catalina.startup.Catalina load
    INFO: Initialization processed in 987 ms
    Sep 6, 2011 2:39:59 PM org.apache.catalina.core.StandardService start
    INFO: Starting service Catalina
    Sep 6, 2011 2:39:59 PM org.apache.catalina.core.StandardEngine start
    INFO: Starting Servlet Engine:
    Sep 6, 2011 2:39:59 PM org.apache.catalina.core.StandardHost start
    INFO: XML validation disabled
    Sep 6, 2011 2:40:00 PM org.apache.catalina.core.ApplicationContext log
    INFO: Initializing the Application Manager.
    Sep 6, 2011 2:40:00 PM org.apache.catalina.core.ApplicationContext log
    INFO: Path to base directory == "/opt/volera/roma"
    Sep 6, 2011 2:40:00 PM org.apache.catalina.core.ApplicationContext log
    INFO: Initializing application manager with configuration file /opt/novell/devman/share/conf/vcdn.conf.
    Sep 6, 2011 2:40:00 PM org.apache.catalina.core.ApplicationContext log
    INFO: Done Setting up the System Properties
    Updated devman trust store
    SRetryDispatcher retrying:  0
    SRetryDispatcher retrying:  1
    SRetryDispatcher retrying:  2
    SRetryDispatcher retrying:  3
    SRetryDispatcher retrying:  0
    SRetryDispatcher retrying:  1
    SRetryDispatcher retrying:  2
    SRetryDispatcher retrying:  3
    SRetryDispatcher retrying:  0
    SRetryDispatcher retrying:  1
    SRetryDispatcher retrying:  2
    SRetryDispatcher retrying:  3
    SRetryDispatcher retrying:  0
    SRetryDispatcher retrying:  1
    SRetryDispatcher retrying:  2
    SRetryDispatcher retrying:  3
    Shutting down Device Manager suite.
    Application manager is Shutting down the Device Manager suite.
    Shutting down Device Manager suite.
In 4.x You will see:

Updated devman trust store
SRetryDispatcher exception:  login (ldaps://192.168.28.8:636/o=novell/ou=accessManagerContainer/ou=VCDN_Root/ou=PartitionsContainer/ou=Partition/ou=ROMAServerContainer/ou=server1/ou=Alert, com.volera.vcdn.platform.storage.core.SPasswordCredentials@4d38dec2) failed
javax.naming.CommunicationException: simple bind failed: 192.168.28.8:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2788)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
    at javax.naming.InitialContext.init(InitialContext.java:244)
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
    at com.volera.vcdn.platform.storage.protocol.ldap.SLdap.login(y:2256)
    at com.volera.vcdn.platform.storage.protocol.ldap.SXmldap.login(y:2080)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at com.volera.vcdn.platform.storage.core.SCommand.dispatch(y:3069)
    at com.volera.vcdn.platform.storage.core.controller.SMethodCaller.dispatch(y:2420)
    at com.volera.vcdn.platform.storage.protocol.ldap.SLdapExceptionDispatcher.dispatch(y:2601)
    at com.volera.vcdn.platform.storage.protocol.ldap.SRetryDispatcher.dispatch(y:1442)
    at com.volera.vcdn.platform.storage.protocol.ldap.SLdap.dispatch(y:1873)
    at com.volera.vcdn.platform.storage.core.SUser._login(y:1453)
    at com.volera.vcdn.platform.storage.core.SUser.login(y:238)
    at com.volera.vcdn.platform.storage.core.SUser.login(y:2416)
    at com.volera.vcdn.platform.storage.core.SUser.login(y:3361)
    at com.volera.vcdn.platform.appmanager.ApplicationManager.J(y:802)
    at com.volera.vcdn.platform.appmanager.ApplicationManager.F(y:3479)
    at com.volera.vcdn.platform.appmanager.ApplicationManager.init(y:2182)
    at com.volera.vcdn.platform.appmanager.ApplicationManagerInit.init(y:1151)
    at com.volera.vcdn.platform.appmanager.ApplicationManagerInit.contextInitialized(y:966)
    at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4994)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5492)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
    at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1575)
    at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1565)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed

Resolution

  1. install a workstation based iManager with Certificate Server Snapins.
  2. use this iManager to login to your Primary Admin Console using the admin user account
  3. open the "Novell Certificate Server" tasks and roles and select the "Repair Default Certificate" menu  browser down to the server object for you primary AC and select this object  You should now be able to run the default repair options. The tool auto detects expired default certificate. Usually the "SSL CertificateDNS" is the one which is assigned to the LDAP server

  4. Check if a certificate has been assigned to the LDAP server
    use the above installed iManager -> Task and Roles -> LDAP -> LDAP options -> View LDAP Servers  select your LDAP server -> open "Connections" menu and select the certificate you created.

Cause

  • The associated certificate assigned to the LDAP server is expired
    ("usually the "SSL CertificateDNS"

  • There is no SSL certificate assigned to the LDAP server object
    ("usually the "SSL CertificateDNS")

Additional Information

If you found that the SSL certificate associated with the LDAP server object is expired, a quick way to fix the problem is to delete the SSL certificate object and then run the command:

ndsconfig upgrade

from the server console. This will create a new certificate and will associate it automatically to the LDAP server object.