Environment
Situation
Difficulty managing Smart Cards in iManager.
For Kerberos the plugin returns:
Complete: Kerberos Schema extension failed.
Authentication Failed, One possible cause could be that the SSL certificate is not properly Installed. Install the certificate in the JAVA keystore.
A LDAP trace shows the following:
LDAP: TLS accept failure 1 on connection 0xceebb0, setting err = -5875.
Error stack: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown - SSL alert number 46
12:01:23 A70 LDAP: TLS handshake failed on connection 0xceebb0, err = -5875"
An iManager debug log is showing the following (must have debug messages turned on):
Performing LDAP bind .....
LDAPException: I/O Exception on host 172.16.73.50, port 636 (91) Connect Error
javax.net.ssl.SSLException: Connection has been shutdown:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested targetPcProxLDAPAuthenti....-1
PcProxLDAPAuthenticator : Exception error message : Connect Error
...
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
Resolution
These plugins do not use iManager's trusted store. They instead use system's.
iManager trusted store: /jre/lib/security/cacerts
System: /opt/novell/jdkx.x.x_xx/jre/lib/security/cacerts
Perform the following steps:
1.Export the trusted root certificate into der binary form.
- This is normally already done if eDirectory is on the server. It can be found at /var/opt/novell/eDirectory/data/SSCert.der
- Otherwise the file can be exported using iManager. Please refer to section 4.2.4 (Exporting a Trusted Root or Public Key Certificate) in the Certificate Server Administration Guide found at https://netiq.com/documentation.
2. Import the trusted root certificate into the system trusted store. It is recommended to use the version of keytool that comes with the installed jdk. Below is an example:
hvserver:~ # rpm -qa | grep jdk
hvserver:~ # /opt/novell/jdk1.7.0_25/bin/keytool -import -alias "kerbcert" -file /var/opt/novell/eDirectory/data/SSCert.der -keystore
/opt/novell/jdk1.7.0_25/jre/lib/security/cacert
3. Restart Tomcat
hvserver:~ # rcnovell-tomcat7 restart
4. Restart the browser after clearing history and cache.
Additional Information
- Login to iManager using the server name or IP address in the “Tree†field rather than the tree name.
- Navigate to the LDAP Group object of the eDirectory server you are connected to in iManager.
- Uncheck “Require TLS for Simple Binds with Password†then click “Applyâ€.
- Reload the eDirectory LDAP module on that server:
- nldap -u
- … wait 5 seconds after it completes …
- nldap -l
- In iManager, navigate to Configure -> iManager Server -> Configure iManager -> Authentication, and uncheck “Use Secure LDAP for auto-connectionâ€. Click “Saveâ€.
- Restart novell-tomcat.
- For SystemD: “systemctl restart novell-tomcatâ€.
- For SysVinit: "rcnovell-tomcatX restart", where X is the version installed on the server.
- Login to iManager using the same server name or IP as before.
When finished, re-check the boxes from steps 3 and 5, and restart the LDAP module and novell-tomcat service. These should not be left disabled due to the security implications.