Install of secondary NAM Appliance fails during configure cluster portion of install

  • 7021110
  • 19-Jul-2017
  • 11-Oct-2019

Environment

NetIQ Access Manager 4.3 (NAM) Appliance
Primary Admin Console was upgraded from 4.1 or 4.2 to 4.3
Secondary Install NAM APpliance installed fresh at 4.3.x

Situation

Environment consisted of 3 NAM Appliances at 4.3 that were all upgraded from earlier versions of Access Manager.
One of the appliances had a hard disk failure which required re-installing NAM Appliance at 4.3 level to be consistent with other NAM Appliances in the environment.  Each attempt to install would fail during the cluster configuration portion of the install.  

Resolution

Needed to modify the tomcat connectors  for the Admin Console and Identity server to allow the install to complete.

Specifically "SSLProtocol=TLSv1.2" to "SSLProtocol=TLS" and then changing the ciphers from sha-2 supported ciphers to SHA-1.

In other words to make it consistent with how the Primary NAM Appliance that was upgraded is configured.
 
*Note ensure $IP_ADDRESS matches IP address of the Server!


ADMIN CONSOLE : /opt/novell/nam/adminconsole/conf/server.xml

Change both the connectors at the end of the file, see following examples:

<Connector NIDP_Name="devman" port="8444" maxThreads="200" minSpareThreads="5" enableLookups="false" acceptCount="100" scheme="https" secure="true" disableUploadTimeout="true" URIEncoding="utf-8" clientAuth="true" sslProtocol="tls" sslImplementationName="com.novell.socket.DevManSSLImplementation" keystoreFile="/var/opt/novell/novlwww/devman.keystore" keystorePass="EE0D4C4394C5B50F" SSLEnabled="true" address="$IP_ADDRESS" />^M

 

  <Connector NIDP_Name="connector" port="8443" maxHttpHeaderSize="8192" maxThreads="200" minSpareThreads="5" enableLookups="false" disableUploadTimeout="true" acceptCount="0" scheme="https" secure="true" clientAuth="false" sslProtocol="tls" URIEncoding="UTF-8" allowUnsafeLegacyRenegotiation="false" keystoreFile="/var/opt/novell/novlwww/.keystore" keystorePass="changeit" SSLEnabled="true" address="$IP_ADDRESS" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />

 

IDP : /opt/novell/ nam/idp/conf/server.xml

Change the last connector ( NIDP_Name=”connector”) to be similar to:

<Connector NIDP_Name="connector" address="$IP_ADDRESS" port="2443" maxThreads="600" minSpareThreads="5" enableLookups="false" acceptCount="100" scheme="https" secure="true" disableUploadTimeout="true" URIEncoding="utf-8" sslProtocol="TLS" clientAuth="false" sslImplementationName="com.novell.nidp.common.util.net.server.NIDPSSLImplementation" keystoreFile="/opt/novell/devman/jcc/certs/nam/nam.keystore" keystorePass="changit" SSLEnabled="true" ciphers="SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA" />

 

Restart the appliance after these changes.

 


 

Cause

Fresh install of 4.3 provides more hardened security forcing tlsv1.2 and tls1.2 ciphers.  The upgrade documents the security changes, but leaves some of the security hardening to the admin in order to ensure compatability with existing setup prior to security hardening.

The install of 4.3 fresh enforced the use of tls1.2 and tried to enforce these ciphers which the upgraded 4.3 system didn't support by default.

Additional Information

Once the install is finished and the environment has been fullty tested, the same connectors can be modified to only allow tls1.2 along with the ciphers.  This means any web servers that NAM is accelerating that requires mutual ssl etc.  Please see the  Security Guide for recommended changes