Forcing iManager 3 to run in unsecure mode (Port 8080) -1681 errors

  • 7024613
  • 08-May-2020
  • 21-May-2020

Environment

iManager 3

Situation

Cannot perform Certificate Manager tasks using the PKI plugin.
Error: -1681 when changing a password


iManager maintains two secure connections. 

One is from its instance to LDAPS on the server.  iManager will, by default, pull from the certificate used by the server on its LDAPS port the RootCA certificate in the chain and place it in its trust store.  In this way, iManager will trust certificates minted by the RootCA of the tree. 

Another is from the iManager instance to the browser connecting to it.  After an initial iManager installation this is secured with a temporary certificate that will expire in 1 year.  Should this certificate not be replaced before that time some plugins, such as the PKI plugin, will no longer function.  This presents a problem since iManager is required to export a new certificate for iManager to consume. 

Two changes need to be made in order for iManager to allow for authentication via an unsecure connection on port 8080.  Tomcat's HTTPS connector will be disabled as well as its security constraints.

Resolution

STANDALONE (Non-OES Server):

Note: it is recommended to make backups of any files before modifying them.

1. Stop Tomcat and Disable connector
- Stop Tomcat
Linux: systemctl stop novell-tomcat8-service.service
Windows: start via Windows Services.

- Backup and edit the /opt/netiq/common/tomcat/conf/server.xml file and disable Tomcat's HTTPS connector.
(Windows: C:\Program Files\Novell\Tomcat\conf\server.xml)

BEFORE:
   <!-- Define a SSL HTTP/1.1 Connector on port -->
   <Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keystoreFile="/var/opt/novell/novlwww/.p12" keystorePass="changeit" keystoreType="PKCS12" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="+TLSv1.1, +TLSv1.2" sslProtocol="TLS"/>


AFTER:
    <!-- Define a SSL HTTP/1.1 Connector on port -->
    <!--   <Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keystoreFile="/var/opt/novell/novlwww/.p12" keystorePass="changeit" keystoreType="PKCS12" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="+TLSv1.1, +TLSv1.2" sslProtocol="TLS"/>
  -->


2. Remove constraints  
Backup and edit /var/opt/novell/iManager/nps/WEB-INF/web.xml file.  Comment out all the security constraints tags.
(Windows: C:\Program Files\Novell\Tomcat\webapps\nps\WEB-INF\web.xml)

BEFORE:

<!-- WELCOME FILE LIST -->
  <welcome-file-list>
        <welcome-file>index.html</welcome-file>
  </welcome-file-list>

  <security-constraint>
        <web-resource-collection>
......
        </web-resource-collection>
        <auth-constraint/>
  </security-constraint>

AFTER

<!-- WELCOME FILE LIST -->
  <welcome-file-list>
        <welcome-file>index.html</welcome-file>
  </welcome-file-list>
  <!--
  <security-constraint>
        <web-resource-collection>
........
 </web-resource-collection>
        <auth-constraint/>
  </security-constraint> -->

Note beginning "<!--" and ending "-->".


3. Start Tomcat
systemctl start novell-tomcat8-service.service
or start via Windows services.

To test point a browser to the following URL and authenticate: http://x.x.x.x:8080/nps/  If this redirects to 8443 either the connector is not fully remm'd or the wrong web.xml was used.

Additional Information

Once the pfx file has been exported to the file system, Tomcat can be stopped and the backups of web.xml and server.xml can be copied back.  The the rest of the procedure for replacing the temporary certificate can be found here:

https://www.netiq.com/documentation/imanager/imanager_install/data/bu3uiv1.html
Section 1.3

Basic Steps:
1. Export a server certificate's public and private key into a pfx file (IE., cert.pfx).  Stop Tomcat.
2. Copy it to /var/opt/novell/novlwww. 
(Windows: c:\Program Files\Novell\Tomcat\conf\ssl)
3. Run the following commands to convert the pfx to a p12 file. 
(If on Windows and Linux is not available one can install OpenSSL for Windows, cygwin, the Windows Linux subsystem, etc.)
openssl pkcs12 -in cert.pfx -out cert.pem
openssl pkcs12 -export -in cert.pem -out cert.p12 -name "New Tomcat"
4. Assign ownership (only for Linux)
chown novlwww:novlwww cert.p12
5. Assign permissions
chmod 654 cert.p12
6. Modify the server.xml to specify the PKCS12 directive and the full name and path of the p12 file.
7. Start Tomcat

The public key of the RootCA used to trust the backend LDAPS connection is imported automatically and is rarely an issue.  However, problems with the keystore can cause problems such as changing a user's password (Error: -1681).  This store can be forced to be recreated by deleting iMgr's copy of the RootCA certificate.  Stop Tomcat and delete one of the directories below, depending on the platform:

/var/opt/novell/iManager/nps/WEB-INF/iMKS
C:\Program Files\Novell\Tomcat\webapps\nps\WEB-INF\iMKS

More information on this can be found in TID 702397

Feedback service temporarily unavailable. For content questions or problems, please contact Support.