Install of Secondary NAM appliance fails during cluster add

  • Document ID:7018685
  • Creation Date:03-Mar-2017
  • Modified Date:07-Mar-2017
    • Micro Focus Products:
      Access Manager (NAM)
      NetIQ

Environment

NetIQ Access Manager 4.3

Primary NAM appliance was was upgraded from 4.2.2 to 4.3
Secondary NAM appliance was installed as fresh 4.3 install

Situation

The Secondary’s IDP doesn’t get added to existing IDP Cluster (shows unconfigured)

The Secondary’s AG doesn’t get added to existing AG Cluster.

Error’s on console during install on Secondary NAM Appliance:

Creating cluster…

grep: ac_main.txt: No such file or directory

grep: ac_temp.txt: No such file or directory

grep: ac_response.txt: No such file or directory

cat: ac_response.txt: No such file or directory

Adding to the Identity Server cluster…

grep: idp_clusster_reponse.txt: No such file or directory

Could not open the xml file: idp_cluster_response.txt


Resolution

1)  Mke backup of /opt/novell/nam/adminconsole/conf/server.xml
2)  Modify the connector listening on port 8443 in /opt/novell/nam/adminconsole/conf/server.xml

Original:

<Connector NIDP_Name="connector" port="8443" maxHttpHeaderSize="8192" maxThreads="200" minSpareThreads="5" enableLookups="false" disableUploadTimeout="true" acceptCount="0" scheme="https" secure="true" clientAuth="false" sslProtocol="TLSv1.2" URIEncoding="UTF-8" allowUnsafeLegacyRenegotiation="false" keystoreFile="/var/opt/novell/novlwww/.keystore" keystorePass="changeit" SSLEnabled="true" address="151.155.214.125" ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" sslEnabledProtocols="SSLv2Hello,TLSv1.1,TLSv1.2" />^M


Modified:

<Connector NIDP_Name="connector" port="8443" maxHttpHeaderSize="8192" maxThreads="200" minSpareThreads="5" enableLookups="false" disableUploadTimeout="true" acceptCount="0" scheme="https" secure="true" clientAuth="false" sslProtocol="tls" URIEncoding="UTF-8" allowUnsafeLegacyRenegotiation="false" keystoreFile="/var/opt/novell/novlwww/.keystore" keystorePass="changeit" SSLEnabled="true" address="151.155.214.125" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />^M


3Restart tomcat:  rcnovell-ac restart

4)  Login to Primary Admin Console (iManager) and go to Troubleshooting -> Other Known NAM Applainces and click “remove” next to the failed Secondary console.

5)  Delete any objects that referenced the name of the failed secondary appliance.
(e.g.  SAS, LDAP, SSL Certs, HTTP)

6)  Restart the install of the secondary NAM Appliance

This time when at the point where it’s Adding the idp and ag to existing cluster via rest interface there won’t be a handshake failure and the IDP and AG should be properly added to the clusters.

7)  Once the secondary Install is complete, you can revert the server.xml as it wason the primary and restart tomcat again. 
rcnovell-ac restart

Cause

Increased SSL Protocol and cipher settings on Primary Nam appliance caused ssl handshake error while secondary attempts to retrieve cluster info using rest interface.