NAM IDP server JSON Web Key Set Endpoint is missing the x5c entry on one cluster node only

  • 7025146
  • 09-Jun-2021
  • 09-Jun-2021


  • Access Manager Appliance 4.5
  • Access Manager Appliance 4.5.1
  • Access Manager Appliance 4.5.2
  • Access Manager Appliance 4.5.3


  • Access Manager Appliance Cluster with two nodes
  • OAuth / OpenID iManager => edit IDP - Cluster => OAuth & OpenID Connect = General => Signing Certificate has been configured
  • OAuth / OpenID Client application are failing randomly failing to validate the signing key
  • Only the primary Access Manager Cluster does not present the certificate at the JSON Web Key Set Endpoint
  • Adding a new OAuth Signing Certificate from within: "iManager => edit IDP - Cluster => OAuth & OpenID Connect = General" will only run a certificate import on the Secondary node but fails for the primary

  • From the commands history of the device you can see that the Import certificate process e.G "(oauth_signing1) with alias (oauth_signing1) to keystore (NAM Singlebox Keystore) on ()" is only visible on the secondary node. The Primary node just lists an "Apply Changes" but no import

  • a re-push of certificate only takes care of Access Gateway certificates but not any IDP server certificates. This cannot be used as a workaround and is another bug which I have to open separately


  • This issue has been addressed to engineering and will be fixed with the NAM 5.0 Access Manager Appliance release

  • Workaround:

    • ssh into your Primary Access Manager Appliance missing the key entry
    • create a backup of the existing: "/opt/novell/devman/jcc/certs/nam/nam.keystore"
    • copy the the "/opt/novell/devman/jcc/certs/nam/nam.keystore" from the secondary Access Manager Appliance over
    • restart your IDP server: "service novell-idp restart"
    • check if the missing key entry exists after the IDP server has been reported as up an running
    • Note: This procedure only works for the Access Manager Appliance

Additional Information

  • The NAM Appliance is using just one JKS keystore (instead of having separate key-stores as with dedicated Access Manager services)