Identity Manager 4.0.2 Remote Loader secure connection fails with SSL3_GET_CLIENT_HELLO after Patch 7

  • 7016144
  • 04-Feb-2015
  • 29-Mar-2015

Environment

NetIQ Identity Manager 4.0.2 Patch 7
NetIQ Identity Manager 4.0.2 Patch 7 Remote Loader
NetIQ Identity Manager Driver - Active Directory
NetIQ eDirectory

Situation

After updating to Identity Manager 4.0.2 Patch 7 Engine and Remote Loader secure connection to the remote loader fails with:

Remote Loader trace:

<nds dtdversion="4.0" ndsversion="8.x">
  <input>
    <status level="error" type="remoteloader">java.io.IOException: SSL handshake failed, SSL_ERROR_SYSCALL, error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number</status>
  </input>
</nds>

Engine trace:

DirXML Log Event -------------------
    Thread  = Subscriber Channel
    Level   = error
    Message = SSL protocol failure: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
DirXML: [02/03/15 17:56:19.28]: Loader: Waiting for DirXML to connect on 'TCP server socket, port 8090, address localhost, using SSL'...
DirXML: [02/03/15 17:56:34.98]:
DirXML Log Event -------------------

Resolution

Verify that the Remote Loader patch have been properly installed. It have been seen that even when a process have been stopped on Windows the files are still kept open.

1) Stop the remote loader
2) Disable the remote loader service from starting during boot
3) Reboot the server
4) Reinstall the remote loader patch
5) Enable the remote loader service
6) Start the remote loader and check the log for:
DirXML: [02/03/15 18:27:14.34]: Loader: Waiting for DirXML to connect on 'TCP server socket, port 8090, address localhost, using TLSv1'…

This will indicate that it will do TLSv1 and not SSLv3.

Note:If the Engine is on Windows the same issue can be seen for the Engine. In this case make sure the eDirectory Service is disabled on reboot, apply patch again and enable eDirectory afterwards.

Cause

Identity Manager 4.0.2 Patch 7 contains a fix for CVE-2014-3566 (POODLE) which will disable the use of SSLv3 on the wire. As the remote loader code was not updated it would still try to do SSLv3 which the Engine cannot longer do,  there for the connection was not established.

The main cause is that the files where not copied due to still being open.


Additional Information

If this does not solve the problem, check the SSL error that gets reported in the engine trace.  For example, an unknown CA means that the exported certificate came from the wrong certificate.  Go back and redo the export from the CA.

When running the patch installer on a Windows Server make sure that the installation is run "as Administrator", in some cases it have been reported that running it from a shell (which is started as "run as Administrator") will copy all the files correctly.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.