Environment
NetIQ Access Manager 3.1.4
Situation
When attempting to log into iManager on the primary admin console, the login screen was returned with no error but no login either, just a loop back to the login screen.
After restarting the primary admin console we could login normally and see that default eDirectory server certificates had expired but had been automatically renewed on the restart.
Later the IDP server was restarted and when users attempted to access protected resources, they were redirected to the idp base URL, as expected, but no login was available.
The IDP catalina.out showed
DirAuthenticator...1114 (Error -669) An invalid password was used, authentication failed, one server tried to synchronize with another one but the target server's database was locked, or a problem exists with the remote ID or public key.
DirAuthenticator...1136 Login failed: admin.novell: 10.17.220.100
SRetryDispatcher retrying: 0
SRetryDispatcher retrying: 1
SRetryDispatcher retrying: 2
SRetryDispatcher retrying: 3
This is an administration console error. This IDP also hosted the secondary AC. The secondary AC was failing to load because the default server certificates had expired and this was preventing the IDP from loading.
After restarting the primary admin console we could login normally and see that default eDirectory server certificates had expired but had been automatically renewed on the restart.
Later the IDP server was restarted and when users attempted to access protected resources, they were redirected to the idp base URL, as expected, but no login was available.
The IDP catalina.out showed
DirAuthenticator...1114 (Error -669) An invalid password was used, authentication failed, one server tried to synchronize with another one but the target server's database was locked, or a problem exists with the remote ID or public key.
DirAuthenticator...1136 Login failed: admin.novell: 10.17.220.100
SRetryDispatcher retrying: 0
SRetryDispatcher retrying: 1
SRetryDispatcher retrying: 2
SRetryDispatcher retrying: 3
This is an administration console error. This IDP also hosted the secondary AC. The secondary AC was failing to load because the default server certificates had expired and this was preventing the IDP from loading.
Resolution
The secondary AC was on the same box as IDP1. In NAM 3.1, the secondary AC does not automatically renew the certifcates and these expired certificates were causing the AC not to load and then the IDP not to load.
The issue was fixed by connecting a standard version of iManager with certificate plugins to the secondary admin console and repairing default certificates on that secondary AC and then restarting the server.
The issue was fixed by connecting a standard version of iManager with certificate plugins to the secondary admin console and repairing default certificates on that secondary AC and then restarting the server.
Cause
On the primary AC, this was not a problem because restarting the AC renewed the certificates automatically.
In NAM 3.1, the secondary AC does not automatically renew the certifcates.
In NAM 3.2, the restarting the secondary AC does automatically renew the default certifcates if they are expired.
In NAM 3.1, the secondary AC does not automatically renew the certifcates.
In NAM 3.2, the restarting the secondary AC does automatically renew the default certifcates if they are expired.