IDM 4.7 Fails to Import certificate during Identity Manager Engine configuration - SSL CertificateDNS_server.ks (No such file or directory)

  • 7023559
  • 04-Dec-2018
  • 04-Dec-2018


Identity Manager 4.7


During a Identity Manager 4.7 configure of the Identity Manager Engine, the following error is found in the /ver/opt/netiq/idm/log/idmconfigure.log file.

NetIQ Identity Manager Command Line Utility
Copyright (c) 2017 NetIQ Corporation. All Rights Reserved

Logging in using:
    host: /
    user: cn=admin,o=mountain
Using LDAP protocol with SSL
LDAPException: Protocol Error (2) Protocol Error
LDAPException: Server Message: Unrecognized extended operation
LDAPException: Matched DN:
    at com.novell.ldap.LDAPResponse.getResultException(Unknown Source)
    at com.novell.ldap.LDAPResponse.chkResultCode(Unknown Source)
    at com.novell.ldap.LDAPConnection.chkResultCode(Unknown Source)
    at com.novell.ldap.LDAPConnection.extendedOperation(Unknown Source)
    at com.novell.ldap.LDAPConnection.extendedOperation(Unknown Source)
    at com.novell.nds.dirxml.util.DxCommand.sendLDAPRequest(
    at com.novell.nds.dirxml.util.DxCommand.getDirXMLVersion(
    at com.novell.nds.dirxml.util.DxCommand.login(
    at com.novell.nds.dirxml.util.DxCommand.commandLine(
    at com.novell.nds.dirxml.util.DxCommand.main(
Importing keystore /tmp/idm_install/SSL CertificateDNS_server.ks to /opt/netiq/common/jre/lib/security/cacerts...
keytool error: /tmp/idm_install/SSL CertificateDNS_server.ks (No such file or directory)


Note:   This certificate is only used by the Identity Application drivers.  So if you are not using Advanced Edition or the Identity Applications, then exporting & importing the certificate is not necessary.  

Here are the steps to export & import the certificate manually

1.  Make sure the new server is added to a driver set in the tree.  Create a driver set and add the server to a driver set if needed.

2.  Make sure the new server holds a read write or master replica of the driver set object in the tree.   Add the replica to the server if  needed.

3.  Export the SSL CertificateDNS using the following command:

/opt/novell/eDirectory/bin/dxcmd -v -accept 1 -host <IPAddressOfServer> -port 636 -user <FullLDAPDNOfAdminUser> -exportcerts "SSL CertificateDNS" server java /tmp

/opt/novell/eDirectory/bin/dxcmd -v -accept 1 -host -port 636 -user cn=admin,o=mountain -exportcerts "SSL CertificateDNS" server java /tmp

4.  Import the certificate into cacerts with the following command.

/opt/netiq/common/jre/bin/keytool -v -importkeystore -srckeystore "/tmp/SSL CertificateDNS_server.ks" -destkeystore "/opt/netiq/common/jre/lib/security/cacerts" -srcstorepass "dirxml" -deststorepass "changeit" -srcalias "trustedcert" -destalias "SSL CertificateDNS" -srckeypass "dirxml" -deststoretype JKS -noprompt

5.  Delete the /tmp/SSL CertificateDNS_server.ks file.
rm /tmp/SSL CertificateDNS_server.ks


The Identity Manager Engine configure script uses dxcmd to export the certificate associated with the server in the driver set.   If the server object is not associated with a driver set, then the above error will be encountered.

By default the configure script will create and associate the server with a driver set object.   However if you use a silent install and configure it to not create a driver set in the file, or if you configure the Identity Manager Engine, with a custom configuration into an existing tree, and tell it not to create a driver set, then the server will not get associated with a driver set and the above error will be encountered.

Additional Information

A defect has been entered for the Identity Manager Engine configuration script regarding this issue.