Environment
Access Manager 4.4.1
Access Manager 4.4.2
Access Manager 4.4.3
Access Manager 4.4.4
Access Manager 4.4.2
Access Manager 4.4.3
Access Manager 4.4.4
Situation
After promoted a secondary admin console server to be the new primary admin console server the below was observed:
Both the ambkup script when run and authentication when trying to install a new IDP is failing with below exception:
install log main for a new IDP:
javax.naming.CommunicationException: 192.168.178.87:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.178.87 found]
javax.naming.CommunicationException: 192.168.178.87:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.178.87 found]
ambkup.sh script gives below similar exception:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
javax.naming.CommunicationException: 192.168.178.87:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.178.87 found]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
javax.naming.CommunicationException: 192.168.178.87:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.178.87 found]
When you check the SSL CertificateDNS certificate on the newly promoted primary admin console server you see it still reflects the IP address and DNS name of the old primary admin console server and there is no alternate subject name for the newly promoted primary admin console server.
When a secondary admin console server is promoted to be the new primary admin console server some extra steps are needed as an add-on to the documented procedure described in section "Converting a Secondary Administration Console into a Primary Console"
Resolution
Reported to engineering
As a workaround on the new primary admin console server disabled the CRL checking and recreated the default certificates in the described way of below TID:
https://support.microfocus.com/kb/doc.php?id=7022461
https://support.microfocus.com/kb/doc.php?id=7022461
As a last step replaced the admin console server certificate since it has a CRL distribution point with a reference to the old primary admin console server.
Access Manager Admin Console Dashboard
Security -> certificates
admin-console certificate -> devices -> administrator console keystore
select the certificate and click replace
add the subject name same as it is currently, for example O=novell, OU=accessManager, CN=primaryac
Replace the certificate
Restart admin console service, /etc/init.d/novell-ac restart
Access Manager Admin Console Dashboard
Security -> certificates
admin-console certificate -> devices -> administrator console keystore
select the certificate and click replace
add the subject name same as it is currently, for example O=novell, OU=accessManager, CN=primaryac
Replace the certificate
Restart admin console service, /etc/init.d/novell-ac restart