Default certificate auto renewal troubleshooting

  • Document ID:7018253
  • Creation Date:08-Nov-2016
  • Modified Date:08-Nov-2016
    • Micro Focus Products:
      Access Manager (NAM)

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Manager 4.1
NetIQ Access Manager 4.2
NetIQ Access Manager 4.3

Situation

The certificate renewal process for the default certs (admin-console, devman certificates, test-* certificates) did not renew the certs before they expired.

Resolution

If just the alias in the devman.keystore is incorrect and the certificate has the same expiration date as other default certificates, you can use keytool commands to find the current alias and change it to the correct 'tomcat' alias.
  • Find the storepass for the devman.keystore:
    • grep 'NIDP_Name="devman"' /opt/novell/nam/adminconsole/conf/server.xml | sed 's/^.*keystorePass=\"//' | sed 's/\".*$//'
  • Find where keytool is on your system:
    • find /opt|grep keytool
  • List the entries in the devman.keystore:
    • keytool -list -keystore /var/opt/novell/novlwww/devman.keystore -storepass 41CC0255CB43123A
  • Backup the devman.keystore
    • cp /var/opt/novell/novlwww/devman.keystore /var/opt/novell/novlwww/devman.keystore-backup-`date -I`
  • If you need to change the alias use the following command -  in this example the old alias is 'temp'
    • /keytool -changealias -keystore /var/opt/novell/novlwww/devman.keystore -storepass 41CC0255CB43123A -alias temp -destalias tomcat
  • Restart the admin console
    • /etc/init.d/novell-ac restart
  • Login as an admin equivalent user on the admin console to start the renewal process 
    • Check the log /var/opt/novell/nam/logs/adminconsole/volera/app_sc.0.log for details about the process
If the devman cert has been replaced manually and you would like to get all of the default certificates recreated, please follow the steps below.
  • Stop ntp on the device
    • /etc/init.d/ntp stop
  • Set the time on the admin console back a few months ( only temporarily)
    • date -s 'Fri Jul 1 01:00:00 EDT 2016'
  • Go into the admin console or another instance of iManager and create a new certificate under - 'Roles and Tasks | Netiq Certificate Access | Server Certificates'
    • Certificate name: testdevman
    • Subject: CN=[admin console name], ou=accessManager, o=novell
    • Validity period: set it only to be valid for a month or two and make sure the expiration is before the current date
  • Export the certificate from within iManager, including the private key as a pkcs12 file and copy it to the admin console server (in my examples it is named /root/testdevman.pfx)
  • Stop the admin console
    • /etc/init.d/novell-ac stop
  • Backup the devman.keystore
    • cp /var/opt/novell/novlwww/devman.keystore /var/opt/novell/novlwww/devman.keystore-backup-`date -I`
  • Find the storepass for the devman.keystore:
    • grep 'NIDP_Name="devman"' /opt/novell/nam/adminconsole/conf/server.xml | sed 's/^.*keystorePass=\"//' | sed 's/\".*$//'
  • Find where keytool is on your system:
    • find /opt|grep keytool
  • Import the pkcs12 into the devman.keystore
    • keytool -importkeystore -srckeystore /root/testdevman.pfx -srcstoretype PKCS12 -destkeystore /var/opt/novell/novlwww/devman.keystore -deststoretype JKS -deststorepass 41CC0255CB43123A
  • Change the alias of the old tomcat alias
    • keytool -changealias -keystore /var/opt/novell/novlwww/devman.keystore -storepass 41CC0255CB43123A -alias tomcat -destalias olddevmancert
  • Change the alias of the new certificate to tomcat (the key password will be what you used when you exported the certificate from the admin console)
    • keytool -changealias -keystore /var/opt/novell/novlwww/devman.keystore -storepass 41CC0255CB43123A -alias testdevman -destalias tomcat
  • Change the key password to match the storepass (in this example, the old password is 'n0v3ll'
    • keytool -keypasswd -alias tomcat -keystore /var/opt/novell/novlwww/devman.keystore -keypass n0v3ll -storepass 41CC0255CB43123A -new 41CC0255CB43123A
  • Set date and start ntp
    • ntpdate -s 0.us.pool.ntp.org
    • /etc/init.d/ntp start
  • Start the admin console
    • /etc/init.d/novell-ac start
  • Login as an admin equivalent user on the admin console to start the renewal process 
    • Check the log /var/opt/novell/nam/logs/adminconsole/volera/app_sc.0.log for details about the process

Cause

  • The renewal process depends on a trusted certificate as the 'tomcat' alias being present in the devman.keystore on the admin console.  If the alias is not set to 'tomcat' the process will fail with a null pointer error.  You can use keytool to change the alias of the certificate if this is the only issue.
  • The renewal process also only regenerates the certificates if the devman cert is expired.  If the devman cert was regenerated manually then the update process will not regenerate any other certificates (admin-console, test-*) until this cert expires.