Environment
Identity Manager 4.7
Situation
During a Identity Manager 4.7 configure of the Identity Manager Engine, the following error is found in the /ver/opt/netiq/idm/log/idmconfigure.log file.
version 4.7.0.0
Copyright (c) 2017 NetIQ Corporation. All Rights Reserved
Logging in using:
host: /157.175.123.188:636
user: cn=admin,o=mountain
Using LDAP protocol with SSL
LDAPException: Protocol Error (2) Protocol Error
LDAPException: Server Message: Unrecognized extended operation
LDAPException: Matched DN:
at com.novell.ldap.LDAPResponse.getResultException(Unknown Source)
at com.novell.ldap.LDAPResponse.chkResultCode(Unknown Source)
at com.novell.ldap.LDAPConnection.chkResultCode(Unknown Source)
at com.novell.ldap.LDAPConnection.extendedOperation(Unknown Source)
at com.novell.ldap.LDAPConnection.extendedOperation(Unknown Source)
at com.novell.nds.dirxml.util.DxCommand.sendLDAPRequest(DxCommand.java:1231)
at com.novell.nds.dirxml.util.DxCommand.getDirXMLVersion(DxCommand.java:1628)
at com.novell.nds.dirxml.util.DxCommand.login(DxCommand.java:1111)
at com.novell.nds.dirxml.util.DxCommand.commandLine(DxCommand.java:553)
at com.novell.nds.dirxml.util.DxCommand.main(DxCommand.java:515)
Importing keystore /tmp/idm_install/SSL CertificateDNS_server.ks to /opt/netiq/common/jre/lib/security/cacerts...
keytool error: java.io.FileNotFoundException: /tmp/idm_install/SSL CertificateDNS_server.ks (No such file or directory)
Resolution
Note: This certificate is only used by the Identity Application drivers. So if you are not using Advanced Edition or the Identity Applications, then exporting & importing the certificate is not necessary.
Here are the steps to export & import the certificate manually
1. Make sure the new server is added to a driver set in the tree. Create a driver set and add the server to a driver set if needed.
2. Make sure the new server holds a read write or master replica of the driver set object in the tree. Add the replica to the server if needed.
3. Export the SSL CertificateDNS using the following command:
/opt/novell/eDirectory/bin/dxcmd -v -accept 1 -host <IPAddressOfServer> -port 636 -user <FullLDAPDNOfAdminUser> -exportcerts "SSL CertificateDNS" server java /tmp
Example:
/opt/novell/eDirectory/bin/dxcmd -v -accept 1 -host 157.175.123.188 -port 636 -user cn=admin,o=mountain -exportcerts "SSL CertificateDNS" server java /tmp
/opt/novell/eDirectory/bin/dxcmd -v -accept 1 -host 157.175.123.188 -port 636 -user cn=admin,o=mountain -exportcerts "SSL CertificateDNS" server java /tmp
4. Import the certificate into cacerts with the following command.
/opt/netiq/common/jre/bin/keytool -v -importkeystore -srckeystore "/tmp/SSL CertificateDNS_server.ks" -destkeystore "/opt/netiq/common/jre/lib/security/cacerts" -srcstorepass "dirxml" -deststorepass "changeit" -srcalias "trustedcert" -destalias "SSL CertificateDNS" -srckeypass "dirxml" -deststoretype JKS -noprompt
5. Delete the /tmp/SSL CertificateDNS_server.ks file.
rm /tmp/SSL CertificateDNS_server.ks
Cause
The Identity Manager Engine configure script uses dxcmd to export the certificate associated with the server in the driver set. If the server object is not associated with a driver set, then the above error will be encountered.
By default the configure script will create and associate the server with a driver set object. However if you use a silent install and configure it to not create a driver set in the silent.properties file, or if you configure the Identity Manager Engine, with a custom configuration into an existing tree, and tell it not to create a driver set, then the server will not get associated with a driver set and the above error will be encountered.
Additional Information
A defect has been entered for the Identity Manager Engine configuration script regarding this issue.