Difficulty managing Smart Cards in iManager.
For Kerberos the plugin returns:
Complete: Kerberos Schema extension failed.
Authentication Failed, One possible cause could be that the SSL certificate is not properly Installed. Install the certificate in the JAVA keystore.
A LDAP trace shows the following:
LDAP: TLS accept failure 1 on connection 0xceebb0, setting err = -5875.
Error stack: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown - SSL alert number 46
12:01:23 A70 LDAP: TLS handshake failed on connection 0xceebb0, err = -5875"
An iManager debug log is showing the following (must have debug messages turned on):
Performing LDAP bind .....
LDAPException: I/O Exception on host 172.16.73.50, port 636 (91) Connect Error
javax.net.ssl.SSLException: Connection has been shutdown:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested targetPcProxLDAPAuthenti....-1
PcProxLDAPAuthenticator : Exception error message : Connect Error
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
These plugins do not use iManager's trusted store. They instead use system's.
iManager trusted store: /jre/lib/security/cacerts
Perform the following steps:
1.Export the trusted root certificate into der binary form.
- This is normally already done if eDirectory is on the server. It can be found at /var/opt/novell/eDirectory/data/SSCert.der
- Otherwise the file can be exported using iManager. Please refer to section 4.2.4 (Exporting a Trusted Root or Public Key Certificate) in the Certificate Server Administration Guide found at https://netiq.com/documentation.
2. Import the trusted root certificate into the system trusted store. It is recommended to use the version of keytool that comes with the installed jdk. Below is an example:
hvserver:~ # rpm -qa | grep jdk
hvserver:~ # /opt/novell/jdk1.7.0_25/bin/keytool -import -alias "kerbcert" -file /var/opt/novell/eDirectory/data/SSCert.der -keystore
3. Restart Tomcat
hvserver:~ # rcnovell-tomcat7 restart
4. Restart the browser after clearing history and cache.
- Login to iManager using the server name or IP address in the âTreeâ field rather than the tree name.
- Navigate to the LDAP Group object of the eDirectory server you are connected to in iManager.
- Uncheck âRequire TLS for Simple Binds with Passwordâ then click âApplyâ.
- Reload the eDirectory LDAP module on that server:
- nldap -u
- â¦ wait 5 seconds after it completes â¦
- nldap -l
- For SystemD: âsystemctl restart novell-tomcatâ.
- For SysVinit: "rcnovell-tomcatX restart", where X is the version installed on the server.
When finished, re-check the boxes from steps 3 and 5, and restart the LDAP module and novell-tomcat service. These should not be left disabled due to the security implications.