Unable to access iMonitor secure port

  • 7016957
  • 01-Nov-2015
  • 01-Nov-2015


NetIQ eDirectory all versions


When accessing iManager via http the DHost HTTP Server page would display
but if "DS Trace" or "NDS iMonitor" was selected, the page would redirect to
and the browser would display an error message saying "The connection was interrupted"

From the command line of the server, the command
curl -k https://<servername>:8030
would return
curl: (35) Unknown SSL protocol error in connection to <servername>:8030

This indicates a problem with the default server certificates but server certificate validation from iManager indicated that the certificates were valid and replacing them with the "Repair Default Certificates" option did not help.


Check that the certificate access is successful with ndstrace from the server console
set ndstrace = NODEBUG
set ndstrace = +HTTP +SSLI +TIME +LMBR

the curl command should return something like

003d Creating HConnTLS, IP :, init:0, iocp:0.
003d!GET / HTTP/1.1
003d HTTP/1.1 200 Ok
003d Destroying HConnTLS (0da9e000).

instead of

010 Creating HConnTLS, IP :, init:0, iocp:0.
0010 TLS operation failed, err: 1, result: -1 --
 -- error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
0010 Destroying HConnTLS (0cd27080).
TLS MEDIUM ciphers required for TLS connections
Server DN read from NetIQ eDirectory.
Certificate DN read from NetIQ eDirectory.
Unable to access server certificate and key, handshakes will fail --
 -- error:1412D198:SSL routines:SSL_CTX_use_KMO:Get server KMO failed
 -- error:1412D194:SSL routines:SSL_CTX_use_KMO:read cache failed

When viewing the certs in the kmocache directory, there were many more certificates than normal. There should be just two unless more have been created for other purposes. Something like

ls /var/opt/novell/eDirectory/data/dib/certserv/kmocache/

In this case we deleted all the certificates from the kmocache directory and recreated them from iManager.
Still the problem persisted so we checked to see which certificate was associated with the http server object in eDirectory; it was not there so we added it manually.

Go to Modify Object in Directory administration
- select http server object of the server
- select httpKeyMaterialObject:   and edit
- select appropriate cert
- eenable time, tags, http, ssli and lmbr
- set ndstrace=*l (to start limber process which will take 6-10 seconds)
- make sure that the DN for certificate is read

This resolved the problem and we were able to access iMonitor successfully over the secure port.


Possibly a corrupted certificate in kmocache.