Environment
- Access Manager Appliance 4.5
- Access Manager Appliance 4.5.1
- Access Manager Appliance 4.5.2
- Access Manager Appliance 4.5.3
Situation
- Access Manager Appliance Cluster with two nodes
- OAuth / OpenID iManager => edit IDP - Cluster => OAuth & OpenID Connect = General => Signing Certificate has been configured
- OAuth / OpenID Client application are failing randomly failing to validate the signing key
- Only the primary Access Manager Cluster does not present the certificate at the JSON Web Key Set Endpoint
- Adding a new OAuth Signing Certificate from within: "iManager => edit IDP - Cluster => OAuth & OpenID Connect = General" will only run a certificate import on the Secondary node but fails for the primary
- From the commands history of the device you can see that the Import certificate process e.G "(oauth_signing1) with alias (oauth_signing1) to keystore (NAM Singlebox Keystore) on ()" is only visible on the secondary node. The Primary node just lists an "Apply Changes" but no import
- a re-push of certificate only takes care of Access Gateway certificates but not any IDP server certificates. This cannot be used as a workaround and is another bug which I have to open separately
Resolution
- This issue has been addressed to engineering and will be fixed with the NAM 5.0 Access Manager Appliance release
- Workaround:
- ssh into your Primary Access Manager Appliance missing the key entry
- create a backup of the existing: "/opt/novell/devman/jcc/certs/nam/nam.keystore"
- copy the the "/opt/novell/devman/jcc/certs/nam/nam.keystore" from the secondary Access Manager Appliance over
- restart your IDP server: "service novell-idp restart"
- check if the missing key entry exists after the IDP server has been reported as up an running
- Note: This procedure only works for the Access Manager Appliance
Additional Information
- The NAM Appliance is using just one JKS keystore (instead of having separate key-stores as with dedicated Access Manager services)