Fresh Installation the Access Manager Admin Console version 4.4.3 and 4.4.4 returns PKI error 1217 creating ECC Certificates

  • 7023737
  • 21-Feb-2019
  • 19-Mar-2019

Environment

  • Access Manager 4.3
  • Access Manager 4.4

Situation

  • Cannot create elliptic curve certificates (ECC) on a fresh NAM 4.4.3 / 4.4.4 Admin Console (AC) installation

  • iManager reports:

    Server Certificate (Key Material) Creation Error Close
    There was an error while trying to create the Server Certificate. You need to delete the Server Certificate, if it exists, and start the creation process again.
    The error code is: PKI Error -1217 NetIQ Certificate Server does not support the requested signature algorithm.

Resolution

  1. This issue has been addressed to engineering

  2. Currently ECC Certificates are not supported but will be in the future (post NAM 4.5)

  3. In cased you have no chance to run a complete new Install of the Admin Console Server the following workaround can be used on your own risk:
    • run the "ambkup.sh" from within the "/opt/novell/devman/bin" directory
    • review the "ambkup.sh" log file at: /var/log/nidp_backup_[date]log in order to verify no errors have been reported while creating the backup
    • install for example the Apache Directory Studio LDAP browser and make sure you can login to the AC LDAP service
    • open The iManager Tasks and Roles Certificate Access
    • delete all existing "EC" certificate (which are anyway RSA Certs)
    • ssh into your AC
    • stop the AC service: "/etc/init.d/novell-ac stop"
    • run "/opt/novell/eDirectory/ndsconfig upgrade"
    • answer "no" to the question enable "Enhanced Background Authentication (EBA) "
    • start the AC service and login again to iManager.
    • the new ECDSA Root "Self Signed Certificate ECDSA.
    • export the "Self Signed Certificate ECDSA" public key certificate into a DER file
    • use and LDAP browser and navigate to the Certificate Authority Object below the Security Container. Example: "cn=LOGIN_TREE CA,cn=Security"
    • Add a new attribute called "cAECCertificate" to the CA object and upload the exported DER file to this attribute
    • In order to create the EC default certificates you can use the Certificate Server plugin for iManager task:  "Create Default Certificates"

Cause

In order to create any elliptic curve certificates (ECDSA) the Root CA requires to use its own elliptic curve root certificate called "Self Signed Certificate ECDSA".

The installation process of NAM 4.4.3 and 4.4.4 does not create the required "Self Signed Certificate ECDSA" certificate. Only the NICI "OU=Organizational CA.O=[Treename]" and RSA Root Certificates "Self Signed Certificate RSA" will be created.


Feedback service temporarily unavailable. For content questions or problems, please contact Support.