User Login to IDP server fails after upgrading to Access Manager 4.4.3

  • 7023648
  • 17-Jan-2019
  • 19-Sep-2019

Environment

Access Manager 4.4.3 for Windows
Access Manager 4.4.3 Appliance
Access Manager 4.4.3 IDP Server

Situation

  • LDAP servers with different DNS names have been created for each region
  • The Certificates assigned to the LDAP servers do not store any Alternate Subject Name which matches the DNS names or IP addresses of the regional server. SSL connection will "usually lead" into a Certificate Validation error due to the name matching issue
  • With older Versions of NAM and any version running on Linux the Certificate Validation process has been disabled allowing such a setup
  • After upgrading the IDP server to NAM 4.4.3 users can not longer login in
  • Since upgrading to NAM 4.4.3 the Certificate validation process has been enabled per default causing a failure for the above mentioned use case
  • Error message in the IDP server JCC log
<exExceleratorResults exApplianceId="idp-58F4B5A13235B61D" exMajorVersion="4" exMinorVersion="4" exResultsTimeStamp="1547720947">
   <exVersion exBuild="0" exCodeName="idp" exMajor="4" exMinor="4" exOS="Windows" exSub="3">4.4.3.0.93</exVersion>
   <exHealth exHealthStatus="Yellow">
      <exServiceHealth exHealthStatus="Warning" exServiceName="/cfg/services">
         <exDescription exHealthStatus="Passed">Identity Server Configuration</exDescription>
         <exDescription exHealthStatus="Passed">Configuration Datastore</exDescription>
         <exDescription exHealthStatus="Warning">User Datastores</exDescription>
         <exDescription exHealthStatus="Passed">Signing, Encryption and SSL Connector Keys</exDescription>
      </exServiceHealth>
      <exServiceHealth exHealthStatus="Passed" exServiceName="Identity Server Configuration">
         <exDescription exHealthStatus="Passed">Fully applied</exDescription>
      </exServiceHealth>
      <exServiceHealth exHealthStatus="Passed" exServiceName="Configuration Datastore">
         <exDescription exHealthStatus="Passed">Operating properly</exDescription>
      </exServiceHealth>
      <exServiceHealth exHealthStatus="Warning" exServiceName="User Datastores">
         <exDescription exHealthStatus="Warning">
            <exAction>Ensure that all replicas of this user store are operating correctly</exAction>For user store dus-lab-nps all replicas are not responding</exDescription>
      </exServiceHealth>
      <exServiceHealth exHealthStatus="Passed" exServiceName="Signing, Encryption and SSL Connector Keys">
         <exDescription exHealthStatus="Passed">Signing key available ,Certificate Subject Name = O=novell, OU=accessManager, CN=test-signing ,Validity in Days = 2618</exDescription>
         <exDescription exHealthStatus="Passed">Encryption key available ,Certificate Subject Name = O=novell, OU=accessManager, CN=test-encryption ,Validity in Days = 2618</exDescription>
         <exDescription exHealthStatus="Passed">SSL Connector key available ,Certificate Subject Name = O=novell, OU=accessManager, CN=test-connector ,Validity in Days = 2618</exDescription>
         <exDescription exHealthStatus="Passed">OAuth Signing Certificate ,Certificate Subject Name = O=novell,OU=accessManager,CN=test-signing ,Validity in Days = 2618</exDescription>
      </exServiceHealth>
   </exHealth>
</exExceleratorResults>
  • Error reported from within the iManager GUI
For user store [Usestore Name] all replicas are not responding  
(Required Action) Ensure that all replicas of this user store are operating correctly
  • Error reported from within the stderr.log (catalina.out)
<amLogEntry> 2019-01-17T10:35:18Z DEBUG NIDS Application: 
Method: JNDILogEventListener.accept
Thread: JNDIReplicaRestart-36106c96-74d2-4c77-9241-0a2f72988871
Connection: 8618cc64-70bc-4ddb-95a3-f5ba4a31d6a9, Environment Parameters for InitialDirContext() method call:
Key: java.naming.factory.initial, Value: com.sun.jndi.ldap.LdapCtxFactory
Key: java.naming.provider.url, Value: ldaps://edir-ldap.kgast.nam.local:636
Key: com.sun.jndi.ldap.connect.timeout, Value: 0
Key: java.naming.security.principal, Value: cn=admin,o=novell
Key: java.naming.security.authentication, Value: simple
Key: java.naming.security.credentials, Value: *****
Key: java.naming.security.protocol, Value: ssl
Key: java.naming.ldap.factory.socket, Value: com.novell.nidp.common.util.net.client.NIDP_SSLSocketFactory
 </amLogEntry>

<amLogEntry> 2019-01-17T10:35:18Z DEBUG NIDS Application: 
Method: JNDILogEventListener.accept
Thread: JNDIReplicaRestart-36106c96-74d2-4c77-9241-0a2f72988871
CommunicationException: Connection: 8618cc64-70bc-4ddb-95a3-f5ba4a31d6a9, Attempting to create InitialDirContext for replica: dus-lab-nps </amLogEntry>

<amLogEntry> 2019-01-17T10:35:18Z DEBUG NIDS Application: 
Method: JNDILogEventListener.accept
Thread: JNDIReplicaRestart-36106c96-74d2-4c77-9241-0a2f72988871
Exception while attempting to create ldap connection! </amLogEntry>

Resolution

  • Windows
    • Start "C:\Program Files\Novell\Tomcat\bin\tomcat8w.exe"
    • Open the Java tab
    • Scroll down in the Java Options and add the following line
      • -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
    • Restart the Tomcat services
  • Appliance (Linux)
    • Edit /opt/novell/nam/idp/conf/tomcat.conf
    • Add the following line to the end of the file
      • JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
    • Restart Tomcat

Cause

The problem is an incorrect setting on the Tomcat JAVA opts for jndi

-Djava.endorsed.dirs=C:\Program Files\Novell\Tomcat\endorsed
-Dorg.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false
-Dorg.apache.jasper.compiler.Parser.STRICT_WHITESPACE=false
-Djava.library.path=C:\PROGRA~1\Novell\Tomcat\webapps\nps\WEB-INF\bin\windows;C:\Novell\NDS;C:\Windows\system32
-Djdk.tls.ephemeralDHKeySize=2048
-Djdk.tls.rejectClientInitiatedRenegotiation=true
-Djcc.dir=C:\Program Files\Novell\devman\jcc
-Djavax.net.ssl.sessionCacheSize=10000
-Dcom.novell.socket.devmancacertslocation=C:\Program Files\Novell\Tomcat\webapps\roma\WEB-INF\conf
-XX:MaxPermSize=256m
-Dsun.net.client.defaultReadTimeout=28000
-Dsun.net.client.defaultConnectTimeout=29000
-Xss256k
-Xms1024m
-Xmx2048m
-Dnids.freemem.threshold=10
-Dsun.net.http.allowRestrictedHeaders=true
-Djsse.enableCBCProtection=false
-XX:-UseSplitVerifier
-Djava.util.logging.config.file=C:\Program Files\Novell\Tomcat\conf
-Dfile.encoding=UTF8
-Dsun.security.ssl.allowUnsafeRenegotiation=false
-Dcom.sun.jndi.object.disableEndpointIdentification=true

It should be

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

Status

Reported to Engineering

Additional Information

This issue has been seen and verified on Windows and Appliance servers and is scheduled to be fixed with future versions of Access Manager.