Environment
- NetIQ Access Manager 4.3.1
- NetIQ Access Manager 4.3.2
- NetIQ Access Manager 4.3.3
Situation
Different situations have been seen
- Individual IDP cluster node keystores server are not listed from within => Auditing => Troubleshooting => Certificates
- IDP cluster signing, encryption, truststores are not available. Reviewing the admin console server catalina.out in such a situation lists:
deleting orphaned cluster keystores of nonexistent NIDP cluster (SCCsjbp6).
INFO: [NEW] com.volera.vcdn.excomm.keystore :: /var/opt/novell/novlwww/devman.keystore
INFO: [NEW] com.volera.vcdn.ac.keystore.password :: changeit
SCCsjbp6-connector
~tmp_7b494f8598fdcdef-connector
~tmp_7b494f8598fdcdef-proxy
SCCsjbp6-consumer
SCCsjbp6-connector
SCCsjbp6-ocsp-truststore
~tmp_7b494f8598fdcdef-signing
~tmp_7b494f8598fdcdef-encryption
~tmp_7b494f8598fdcdef-connector
~tmp_7b494f8598fdcdef-proxy
SCCsjbp6-provider
SCCsjbp6-signing
SCCsjbp6-connector
SCCsjbp6-encryption
SCCsjbp6-consumer
~tmp_7b494f8598fdcdef-truststore
~tmp_7b494f8598fdcdef-proxy-truststore
SCCsjbp6-truststore
SCCsjbp6-ocsp-truststore
Feb 01, 2019 12:12:42 PM com.volera.roma.app.handler.AnalyticsHandler getAnalyticsConfigXml
SEVERE: [LDAP: error code 80 - NDS error: ds locked (-663)]
Feb 01, 2019 12:12:43 PM com.volera.roma.app.handler.AnalyticsHandler createAnalyticsConfigXml
SEVERE: [LDAP: error code 80 - NDS error: ds locked (-663)]
Error connecting to the datastore.<!-- VManager.java:119 javax.naming.NamingException: [LDAP: error
code 80 - NDS error: DS agent closing (-776)]; remaining name '' --> - iManager returns the error message: "Error: Certificates"
Resolution
- running an LDIF export of all the keystores from a working backup (removed the ACL attributes before) and then re-imported them back into the running AC fixed the problem
Cause
Comparing a NAM Backup working / non-working) shows exactly 7 keystores are missing in the keycontainer.
- dn: ou=SCC1u8ocn-connector,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
- dn: ou=SCC1u8ocn-consumer,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
- dn: ou=SCC1u8ocn-encryption,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
- dn: ou=SCC1u8ocn-ocsp-truststore,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
- dn: ou=SCC1u8ocn-provider,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
- dn: ou=SCC1u8ocn-signing,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
- dn: ou=SCC1u8ocn-truststore,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell
Additional Information
- The keystore information for all Access Manager devices are stored in the "ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell" Organizational Unit as "romaKeyStore" objects.
- The mapping between the keystore and a given IDP cluster is done by the Cluster ID name (SCC*)
For Example:
romaKeystore Object: "ou=SCC8zuvta-signing,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell"
nidsServerClusterConfiguration: cn=SCC8zuvta,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell" - NDSTrace Example:
base: ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell"
scope:1 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectClass=romaKeyStore)(ou=*))"
no attributes
(10.2.92.100:40858)(0x0ce0:0x63) nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
(10.2.92.100:40858)(0x0ce0:0x63) Empty attribute list implies all user attributes
(10.2.92.100:40858)(0x0ce0:0x63) Sending search result entry "ou=admin-console-keystore,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell" to connection 0xe03bc00
(10.2.92.100:40858)(0x0ce0:0x63) Sending search result entry "ou=SCC8zuvta-signing,ou=KeyContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell" to connection 0xe03bc00
........
..........
(10.2.92.100:40858)(0x0ce5:0x63) Search request:
base: "cn=SCC8zuvta,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell"
scope:0 dereference:0 sizelimit:0 timelimit:0 attrsonly:0
filter: "(objectClass=*)"
no attributes
(10.2.92.100:40858)(0x0ce5:0x63) nds_back_search: Search Control OID 2.16.840.1.113730.3.4.2
(10.2.92.100:40858)(0x0ce5:0x63) Empty attribute list implies all user attributes
(10.2.92.100:40858)(0x0ce5:0x63) Sending search result entry "cn=SCC8zuvta,cn=cluster,cn=nids,ou=accessManagerContainer,o=novell" to connection 0xe03bc00 - Health Status Information:
........
........
<exExceleratorResults exApplianceId="idp-36D334FA520B6838" exMajorVersion="4" exMinorVersion="2" exResultsTimeStamp="1469604924">
<exVersion exBuild="0" exCodeName="idp" exMajor="4" exMinor="2" exOS="Linux" exSub="0">4.2.0.0.221</exVersion>
<exHealth exHealthStatus="Green">
<exServiceHealth exHealthStatus="Passed" exServiceName="/cfg/services">
<exDescription exHealthStatus="Passed">Identity Server Configuration</exDescription>
<exDescription exHealthStatus="Passed">Configuration Datastore</exDescription>
<exDescription exHealthStatus="Passed">User Datastores</exDescription>
<exDescription exHealthStatus="Passed">Clustering</exDescription>
<exDescription exHealthStatus="Passed">Signing, Encryption and SSL Connector Keys</exDescription>
</exServiceHealth>
<exServiceHealth exHealthStatus="Passed" exServiceName="Identity Server Configuration">
<exDescription exHealthStatus="Passed">Fully applied</exDescription>
</exServiceHealth>
<exServiceHealth exHealthStatus="Passed" exServiceName="Configuration Datastore">
<exDescription exHealthStatus="Passed">Operating properly</exDescription>
</exServiceHealth>
<exServiceHealth exHealthStatus="Passed" exServiceName="User Datastores">
<exDescription exHealthStatus="Passed">Operating properly</exDescription>
</exServiceHealth>
<exServiceHealth exHealthStatus="Passed" exServiceName="Clustering">
<exDescription exHealthStatus="Passed">Operating properly</exDescription>
</exServiceHealth>
<exServiceHealth exHealthStatus="Passed" exServiceName="Signing, Encryption and SSL
Connector Keys">
<exDescription exHealthStatus="Passed">Signing key available ,Certificate Subject Name = O=novell, OU=accessManager, CN=test-signing ,Validity in Days = 2874</exDescription>
<exDescription exHealthStatus="Passed">Encryption key available ,Certificate Subject Name = O=novell, OU=accessManager, CN=test-encryption ,Validity in Days = 2874</exDescription>
<exDescription exHealthStatus="Passed">SSL Connector key available ,Certificate Subject Name = C=DE, L=Duesseldorf, O=NetIQ, OU=Technical Services, CN=*.kgast.nam.com ,Validity in Days = 220</exDescription>
</exServiceHealth>
</exHealth>
</exExceleratorResults>