Environment
NetIQ Access Manager 4.0.1
NetIQ Access Manager 3.2.3
NetIQ Access Manager Identity Server fronted by Load Balancer
Secure LDAP enabled using TCP 636
NetIQ Access Manager 3.2.3
NetIQ Access Manager Identity Server fronted by Load Balancer
Secure LDAP enabled using TCP 636
Situation
Access Manager 4.0 setup and working well. The Identity (IDP) server is configured to talk to multiple LDAP servers through a Load Banacer, and not directly. The Load Balancer is simply set to round robin the requests.
After upgrading to NAM 4.0.1, the IDP server healthcheck went from green to indicate a yellow warning. Clicking the warning for more details, the following message appeared:
""Ensure that the following replicas are operating correctly XXXX" where XXXX is the name of the LDAP server replica
Going into the IDP server administration console, and running the 'validate' check on the LDAP server replica's, the following message was rendered:
"Server certificate change is restricted during renegotiation"
After upgrading to NAM 4.0.1, the IDP server healthcheck went from green to indicate a yellow warning. Clicking the warning for more details, the following message appeared:
""Ensure that the following replicas are operating correctly XXXX" where XXXX is the name of the LDAP server replica
Going into the IDP server administration console, and running the 'validate' check on the LDAP server replica's, the following message was rendered:
"Server certificate change is restricted during renegotiation"
Resolution
A number of options exists here to workaround the issue:
a) instead of specifying the load balancer VIP as the LDAP replica server, make sure that the IDP server points to each LDAP server directly and not through the load balancer. This way, the IDP server maintains full communication with the LDAP servers directly, maintaining state and connection information throughout.
b) create a wildcard certificate and assign this server certificate to all the LDAP servers in the replica ring
c) modify the /opt/novell/nam/idp/conf/tomcat7.conf file and add the following lines
JAVA_OPTS="${JAVA_OPTS} -Djdk.tls.allowUnsafeServerCertChange=true"
to disable the check on the certificate. This is the least secure of the options.
a) instead of specifying the load balancer VIP as the LDAP replica server, make sure that the IDP server points to each LDAP server directly and not through the load balancer. This way, the IDP server maintains full communication with the LDAP servers directly, maintaining state and connection information throughout.
b) create a wildcard certificate and assign this server certificate to all the LDAP servers in the replica ring
c) modify the /opt/novell/nam/idp/conf/tomcat7.conf file and add the following lines
JAVA_OPTS="${JAVA_OPTS} -Djdk.tls.allowUnsafeServerCertChange=true"
to disable the check on the certificate. This is the least secure of the options.
Cause
WIth the newer patches, NAM included a newer JDK eg. 7u71. One of the big changes with this JDK update is related to the "unsafe
server certificate change in SSL/TLS renegotiations is not allowed by default" (http://www.oracle.com/technetwork/java/javase/7u71-relnotes-2296187.html)
When the IDP server generated an LDAP request to the Load Balancer VIP, we were never guaranteed a response from the same secure LDAP server. If requests were bounced between different LDAP servers, and each LDAP server we communicated with sent back a different SSL certificate, the IDP server would report the above warnings. By disabling the above option, the SSL server check would not be carried out and no error thrown.
When the IDP server generated an LDAP request to the Load Balancer VIP, we were never guaranteed a response from the same secure LDAP server. If requests were bounced between different LDAP servers, and each LDAP server we communicated with sent back a different SSL certificate, the IDP server would report the above warnings. By disabling the above option, the SSL server check would not be carried out and no error thrown.