Kerberos and Radius iManager plugins cannot extend schema

  • 7015543
  • 15-Aug-2014
  • 07-Jan-2021

Environment

NetIQ iManager 2.7 Sp7
NetIQ eDirectory 8.8 SP8
Novell iManager 2.7 SP6
Novell eDirectory 8.8 SP7

Situation

Cannot extend schema using iManager and the Kerberos or Radius plugin.
 
Difficulty managing Smart Cards in iManager.

For Kerberos the plugin returns: 
Complete: Kerberos Schema extension failed.
Authentication Failed, One possible cause could be that the SSL certificate is not properly Installed. Install the certificate in the JAVA keystore.

A LDAP trace shows the following:
LDAP: TLS accept failure 1 on connection 0xceebb0, setting err = -5875.
Error stack: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown - SSL alert number 46
12:01:23 A70 LDAP: TLS handshake failed on connection 0xceebb0, err = -5875"

An iManager debug log is showing the following (must have debug messages turned on):
Performing LDAP bind .....
LDAPException: I/O Exception on host 172.16.73.50, port 636 (91) Connect Error
javax.net.ssl.SSLException: Connection has been shutdown:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested targetPcProxLDAPAuthenti....-1
PcProxLDAPAuthenticator :  Exception error message : Connect Error
...
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)

Resolution

These plugins do not use iManager's trusted store.  They instead use system's.
 
iManager trusted store: /jre/lib/security/cacerts
System: /opt/novell/jdkx.x.x_xx/jre/lib/security/cacerts

Perform the following steps:
1.Export the trusted root certificate into der binary form.
- This is normally already done if eDirectory is on the server.  It can be found at /var/opt/novell/eDirectory/data/SSCert.der
- Otherwise the file can be exported using iManager.  Please refer to section 4.2.4 (Exporting a Trusted Root or Public Key Certificate) in the Certificate Server Administration Guide found at https://netiq.com/documentation.

2. Import the trusted root certificate into the system trusted store.  It is recommended to use the version of keytool that comes with the installed jdk.  Below is an example:
hvserver:~ # rpm -qa | grep jdk
hvserver:~ # /opt/novell/jdk1.7.0_25/bin/keytool -import -alias "kerbcert" -file /var/opt/novell/eDirectory/data/SSCert.der -keystore
/opt/novell/jdk1.7.0_25/jre/lib/security/cacert
 
3. Restart Tomcat
hvserver:~ # rcnovell-tomcat7 restart
 
4. Restart the browser after clearing history and cache.

Additional Information

If the above steps do not resolve the issue, the following procedure may help:

  1. Login to iManager using the server name or IP address in the “Tree” field rather than the tree name.
  2. Navigate to the LDAP Group object of the eDirectory server you are connected to in iManager.
  3. Uncheck “Require TLS for Simple Binds with Password” then click “Apply”.
  4. Reload the eDirectory LDAP module on that server:
    • nldap -u
    • … wait 5 seconds after it completes …
    • nldap -l
  5. In iManager, navigate to Configure -> iManager Server -> Configure iManager -> Authentication, and uncheck “Use Secure LDAP for auto-connection”. Click “Save”.
  6. Restart novell-tomcat. 
    • For SystemD: “systemctl restart novell-tomcat”. 
    • For SysVinit: "rcnovell-tomcatX restart", where X is the version installed on the server.
  7. Login to iManager using the same server name or IP as before.
The SSL error should no longer appear when using the Kerberos plug-in in iManager.

When finished, re-check the boxes from steps 3 and 5, and restart the LDAP module and novell-tomcat service. These should not be left disabled due to the security implications.