Environment
Novell eDirectory 8.8 for All Platforms
Novell eDirectory 8.7.3 for All Platforms
iManager 2.7.6
iManager 2.7.7
iManager 3.1.x
SUSE Linux Enterprise Server 11
Novell Open Enterprise Server 2018 (OES 2018) Linux Support Pack 1SUSE Linux Enterprise Server 10
Novell Open Enterprise Server 2015 (OES 2015) Linux Support Pack 1
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1
FreeRADIUS
Situation
The Radius plug-in for iManager requires a secure LDAP connection.
When extending free radius schema in iManager the error returned is:
Created LDAP context failed:
Connect Error
java.lan.Exception\n at com.novell.nps.radius.ExtendRadiusSchema.showInitialForm(ExtendRadiusSchema.java:185)\n
When creating a Radius Profile or Radius User the following error is returned:
java.lang.NullPointerException at com.novell.nps.radius.RadiusSchema.isSchemaValid(RadisuSchema.java:2511)
java.lang.NullPointerException at com.novell.nps.radius.RadiusSchema.isSchemaValid(RadisuSchema.java:2511)
Resolution
Check that the keystore (cacerts file) is valid and has the correct permissions. (For OES 2018.1 servers, see the OES 2018.1 sub-section below)
First find the JAVA_HOME path
export |grep -i JAVA_HOME
usually returns something like this:
/usr/lib64/jvm/jre
The keytool binary will usually be located in
/usr/lib64/jvm/jre/bin/keytool
And the keystore will usually be in the following location with the name of
/usr/lib64/jvm/jre/lib/security/cacerts
Next check the permissions on the cacerts
ls -al /usr/lib64/jvm/jre/lib/security/cacerts
-rwxr-xr-x 1 root root cacerts*
If the permissions are incorrect change the permissions with command:
chmod 755 /usr/lib64/jvm/jre/lib/security/cacerts
If the cacerts is missing expired because the CA was expired or recreated use the keytool command to generate a new cacerts file.
To verify that the CA is valid see TID 7013047
Once the CA if validated export a certificate from the tree via iManager. If there is a OES server in the tree use the /etc/opt/novell/certs/SSCert.der
To export a cert with iManager, login to iManager | Novell Certificate Server | Configure Certificate Authority | Select the Certificates tab | Select the Self Signed Certificate tab | Export | Uncheck the "Export private key" option | Verify the Export format is "Der" | Next | Click "Save the exported certificate" link and save to the desired location.
Next, run the keytool command:
keytool -import -alias Alias_Name -file /path_to_exported_cert.der -keystore /path_to_cacerts file
keytool -import -alias Alias_Name -file /etc/opt/novell/certs/SSCert.der /usr/lib64/jvm/jre/lib/security/cacerts
keytool -import -alias Alias_Name -file /path_to_exported_cert.der -keystore /path_to_cacerts file
keytool -import -alias Alias_Name -file /etc/opt/novell/certs/SSCert.der /usr/lib64/jvm/jre/lib/security/cacerts
When prompted for password, type "changeit" and to the question "Trust this certificate?"answer "yes"
OES 2018.1:
Certificate path on OES server: /etc/opt/novell/certs/SSCert.der
keytool path: /usr/lib64/jvm/java-1_8_0-ibm-1.8.0/jre/bin/keytool
java keystore path: /var/lib/ca-certificates/java-cacerts
e.g.
/usr/lib64/jvm/java-1_8_0-ibm-1.8.0/jre/bin/keytool -import -file /etc/opt/novell/certs/SSCert.der -keystore /var/lib/ca-certificates/java-cacerts
rcnovell-tomcat restart
Additional Information
See TID 7002490 for creating the keystore for a workstation version of iManager
or copy a valid keystore (the cacerts file) from a server or another workstation.