Environment
NetIQ eDirectory all versions
Situation
When accessing iManager via http the DHost HTTP Server page would display
http://<servername>:8028
but if "DS Trace" or "NDS iMonitor" was selected, the page would redirect to
http://<servername>:8030/nds/summary
and the browser would display an error message saying "The connection was interrupted"
From the command line of the server, the command
curl -k https://<servername>:8030
would return
curl: (35) Unknown SSL protocol error in connection to <servername>:8030
This indicates a problem with the default server certificates but server certificate validation from iManager indicated that the certificates were valid and replacing them with the "Repair Default Certificates" option did not help.
http://<servername>:8028
but if "DS Trace" or "NDS iMonitor" was selected, the page would redirect to
http://<servername>:8030/nds/summary
and the browser would display an error message saying "The connection was interrupted"
From the command line of the server, the command
curl -k https://<servername>:8030
would return
curl: (35) Unknown SSL protocol error in connection to <servername>:8030
This indicates a problem with the default server certificates but server certificate validation from iManager indicated that the certificates were valid and replacing them with the "Repair Default Certificates" option did not help.
Resolution
Check that the certificate access is successful with ndstrace from the server console
ndstrace
set ndstrace = NODEBUG
set ndstrace = +HTTP +SSLI +TIME +LMBR
the curl command should return something like
003d Creating HConnTLS, IP : 192.168.1.140:37921, init:0, iocp:0.
003d!GET / HTTP/1.1
003d HTTP/1.1 200 Ok
003d Destroying HConnTLS (0da9e000).
instead of
010 Creating HConnTLS, IP : 192.168.1.141:32769, init:0, iocp:0.
0010 TLS operation failed, err: 1, result: -1 --
-- error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
0010 Destroying HConnTLS (0cd27080).
TLS MEDIUM ciphers required for TLS connections
Server DN read from NetIQ eDirectory.
Certificate DN read from NetIQ eDirectory.
Unable to access server certificate and key, handshakes will fail --
-- error:1412D198:SSL routines:SSL_CTX_use_KMO:Get server KMO failed
-- error:1412D194:SSL routines:SSL_CTX_use_KMO:read cache failed
When viewing the certs in the kmocache directory, there were many more certificates than normal. There should be just two unless more have been created for other purposes. Something like
ls /var/opt/novell/eDirectory/data/dib/certserv/kmocache/
UwBTAEwAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUARABOAFMA.pem
UwBTAEwAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUASQBQAA==.pem
In this case we deleted all the certificates from the kmocache directory and recreated them from iManager.
Still the problem persisted so we checked to see which certificate was associated with the http server object in eDirectory; it was not there so we added it manually.
Go to Modify Object in Directory administration
- select http server object of the server
- select httpKeyMaterialObject: and edit
- select appropriate cert
- eenable time, tags, http, ssli and lmbr
- set ndstrace=*l (to start limber process which will take 6-10 seconds)
- make sure that the DN for certificate is read
This resolved the problem and we were able to access iMonitor successfully over the secure port.
ndstrace
set ndstrace = NODEBUG
set ndstrace = +HTTP +SSLI +TIME +LMBR
the curl command should return something like
003d Creating HConnTLS, IP : 192.168.1.140:37921, init:0, iocp:0.
003d!GET / HTTP/1.1
003d HTTP/1.1 200 Ok
003d Destroying HConnTLS (0da9e000).
instead of
010 Creating HConnTLS, IP : 192.168.1.141:32769, init:0, iocp:0.
0010 TLS operation failed, err: 1, result: -1 --
-- error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
0010 Destroying HConnTLS (0cd27080).
TLS MEDIUM ciphers required for TLS connections
Server DN read from NetIQ eDirectory.
Certificate DN read from NetIQ eDirectory.
Unable to access server certificate and key, handshakes will fail --
-- error:1412D198:SSL routines:SSL_CTX_use_KMO:Get server KMO failed
-- error:1412D194:SSL routines:SSL_CTX_use_KMO:read cache failed
When viewing the certs in the kmocache directory, there were many more certificates than normal. There should be just two unless more have been created for other purposes. Something like
ls /var/opt/novell/eDirectory/data/dib/certserv/kmocache/
UwBTAEwAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUARABOAFMA.pem
UwBTAEwAIABDAGUAcgB0AGkAZgBpAGMAYQB0AGUASQBQAA==.pem
In this case we deleted all the certificates from the kmocache directory and recreated them from iManager.
Still the problem persisted so we checked to see which certificate was associated with the http server object in eDirectory; it was not there so we added it manually.
Go to Modify Object in Directory administration
- select http server object of the server
- select httpKeyMaterialObject: and edit
- select appropriate cert
- eenable time, tags, http, ssli and lmbr
- set ndstrace=*l (to start limber process which will take 6-10 seconds)
- make sure that the DN for certificate is read
This resolved the problem and we were able to access iMonitor successfully over the secure port.
Cause
Possibly a corrupted certificate in kmocache.