NetIQ Acceess Manager NIDP server keystore are missing from within iManager

  • 7017888
  • 27-Jul-2016
  • 19-Feb-2019

Environment

  • NetIQ Access Manager 4.3.1
  • NetIQ Access Manager 4.3.2
  • NetIQ Access Manager 4.3.3

Situation

Different situations have been seen
  • Individual IDP cluster node keystores server are not listed from within => Auditing => Troubleshooting => Certificates

  • IDP cluster signing, encryption, truststores are not available. Reviewing the admin console server catalina.out in such a situation lists:

    deleting orphaned cluster keystores of nonexistent NIDP cluster (SCCsjbp6).
    INFO: [NEW]  com.volera.vcdn.excomm.keystore  ::  /var/opt/novell/novlwww/devman.keystore
    INFO: [NEW]  com.volera.vcdn.ac.keystore.password  ::  changeit
    SCCsjbp6-connector
    ~tmp_7b494f8598fdcdef-connector
    ~tmp_7b494f8598fdcdef-proxy
    SCCsjbp6-consumer
    SCCsjbp6-connector
    SCCsjbp6-ocsp-truststore
    ~tmp_7b494f8598fdcdef-signing
    ~tmp_7b494f8598fdcdef-encryption
    ~tmp_7b494f8598fdcdef-connector
    ~tmp_7b494f8598fdcdef-proxy
    SCCsjbp6-provider
    SCCsjbp6-signing
    SCCsjbp6-connector
    SCCsjbp6-encryption
    SCCsjbp6-consumer
    ~tmp_7b494f8598fdcdef-truststore
    ~tmp_7b494f8598fdcdef-proxy-truststore
    SCCsjbp6-truststore
    SCCsjbp6-ocsp-truststore
    Feb 01, 2019 12:12:42 PM com.volera.roma.app.handler.AnalyticsHandler getAnalyticsConfigXml
    SEVERE: [LDAP: error code 80 - NDS error: ds locked (-663)]
    Feb 01, 2019 12:12:43 PM com.volera.roma.app.handler.AnalyticsHandler createAnalyticsConfigXml
    SEVERE: [LDAP: error code 80 - NDS error: ds locked (-663)]
    Error connecting to the datastore.<!-- VManager.java:119 javax.naming.NamingException: [LDAP: error
    code 80 - NDS error: DS agent closing (-776)]; remaining name '' -->

  • iManager returns the error message: "Error: Certificates"

Resolution

  • running an LDIF export of all the keystores from a working backup (removed the ACL attributes before) and then re-imported them back into the running AC fixed the problem

Cause

Comparing a NAM Backup working / non-working) shows exactly  7 keystores are missing in the keycontainer.

  • dn: ou=SCC1u8ocn-connector,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
  • dn: ou=SCC1u8ocn-consumer,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
  • dn: ou=SCC1u8ocn-encryption,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
  • dn: ou=SCC1u8ocn-ocsp-truststore,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
  • dn: ou=SCC1u8ocn-provider,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
  • dn: ou=SCC1u8ocn-signing,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
  • dn: ou=SCC1u8ocn-truststore,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell

Additional Information

  1. The keystore information for all Access Manager devices are stored in the "ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell"  Organizational Unit  as "romaKeyStore" objects.

  2. The mapping between the keystore and a given IDP cluster is done by the Cluster ID name (SCC*)

    For Example:

    romaKeystore Object: "ou=SCC8zuvta-signing,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell"

    nidsServerClusterConfiguration: cn=SCC8zuvta,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell"


  3. NDSTrace Example:

    base: ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell"
            scope:1  dereference:0  sizelimit:0  timelimit:0  attrsonly:0
            filter: "(&(objectClass=romaKeyStore)(ou=*))"
            no attributes
    (10.2.92.100:40858)(0x0ce0:0x63) nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
    (10.2.92.100:40858)(0x0ce0:0x63) Empty attribute list implies all user attributes
    (10.2.92.100:40858)(0x0ce0:0x63) Sending search result entry "ou=admin-console-keystore,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell" to connection 0xe03bc00
    (10.2.92.100:40858)(0x0ce0:0x63) Sending search result entry "ou=SCC8zuvta-signing,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell" to connection 0xe03bc00
    ........
    ..........
    (10.2.92.100:40858)(0x0ce5:0x63) Search request:
    base: "cn=SCC8zuvta,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell"
            scope:0  dereference:0  sizelimit:0  timelimit:0  attrsonly:0
            filter: "(objectClass=*)"
            no attributes
    (10.2.92.100:40858)(0x0ce5:0x63) nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
    (10.2.92.100:40858)(0x0ce5:0x63) Empty attribute list implies all user attributes
    (10.2.92.100:40858)(0x0ce5:0x63) Sending search result entry "cn=SCC8zuvta,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell" to connection 0xe03bc00

  4. Health Status Information:

    ........
    ........
    <exExceleratorResults exApplianceId="idp-36D334FA520B6838" exMajorVersion="4" exMinorVersion="2" exResultsTimeStamp="1469604924">
      <exVersion exBuild="0" exCodeName="idp" exMajor="4" exMinor="2" exOS="Linux" exSub="0">4.2.0.0.221</exVersion>
      <exHealth exHealthStatus="Green">
        <exServiceHealth exHealthStatus="Passed" exServiceName="/cfg/services">
          <exDescription exHealthStatus="Passed">Identity Server Configuration</exDescription>
          <exDescription exHealthStatus="Passed">Configuration Datastore</exDescription>
          <exDescription exHealthStatus="Passed">User Datastores</exDescription>
          <exDescription exHealthStatus="Passed">Clustering</exDescription>
          <exDescription exHealthStatus="Passed">Signing, Encryption and SSL Connector Keys</exDescription>
        </exServiceHealth>
        <exServiceHealth exHealthStatus="Passed" exServiceName="Identity Server Configuration">
          <exDescription exHealthStatus="Passed">Fully applied</exDescription>
        </exServiceHealth>
        <exServiceHealth exHealthStatus="Passed" exServiceName="Configuration Datastore">
          <exDescription exHealthStatus="Passed">Operating properly</exDescription>
        </exServiceHealth>
        <exServiceHealth exHealthStatus="Passed" exServiceName="User Datastores">
          <exDescription exHealthStatus="Passed">Operating properly</exDescription>
        </exServiceHealth>
        <exServiceHealth exHealthStatus="Passed" exServiceName="Clustering">
          <exDescription exHealthStatus="Passed">Operating properly</exDescription>
        </exServiceHealth>
        <exServiceHealth exHealthStatus="Passed" exServiceName="Signing, Encryption and SSL
    Connector Keys">
          <exDescription exHealthStatus="Passed">Signing key available ,Certificate Subject Name = O=novell, OU=accessManager, CN=test-signing ,Validity in Days = 2874</exDescription>
          <exDescription exHealthStatus="Passed">Encryption key available ,Certificate Subject Name = O=novell, OU=accessManager, CN=test-encryption ,Validity in Days = 2874</exDescription>
          <exDescription exHealthStatus="Passed">SSL Connector key available ,Certificate Subject Name = C=DE, L=Duesseldorf, O=NetIQ, OU=Technical Services, CN=*.kgast.nam.com ,Validity in Days = 220</exDescription>
        </exServiceHealth>
      </exHealth>
    </exExceleratorResults>


Feedback service temporarily unavailable. For content questions or problems, please contact Support.