Novell Home

Troubleshooting iManager 2.0.2 on NetWare 6.5

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 8 Jun 2004
 

Here are four important things to check if you're having trouble running iManager on your NetWare 6.5 server.

For iManager to install and work properly, the following items must be functioning on the server:

  1. SSL (Server Certificates)
  2. LDAP over SSL
  3. Tomcat
  4. Apache

For the following information, the server name of "Server1" is assumed and resides in the context O=Novell.

  1. Check for Server Certificates

    In ConsoleOne verify the following certificate objects exist in the same context as Server1.
    SAS Service - Server1
    SSL CertificateIP - Server1
    SSL CertificateDNS - Server1
    If these objects do not exist, download PKIDIAG.NLM and run PKIDIAG with options 4 then 0 to automatically recreate them.

    If these objects do exist, run PKIDIAG.NLM with options 4 then 0 to verify the configuration of these objects.
    Note: PKIDIAG writes to the log file SYS:\ETC\Certserv\REPAIR.LOG You may check this log file for any unresolved errors.

    For testing purposes, you may also attempt to create a new certificate for Server1. Do this in ConsoleOne by creating a new object of type NDSPKI:Key Material in the same context as Server1 and specifying Server1 as the server for this certificate. If this is successful then the tree CA (Certificate Authority) is functioning. Once created, do a validation check on the SSL Certificate created. In ConsoleOne select the Properties of the objects. On the Certificate tab select the Validate button to validate the certificate. Do this for the Trusted Root certificate and Public Key certificate for this object.

    If the creation of a new Certificate fails then there may be tree CA issues that need to be resolved/investigated.


  2. LDAP over SSL

    To determine if LDAP over SSL is configured or working, at the server console unload NLDAP.NLM and load NLDAP.NLM. The modules NTLS.NLM and SASL.NLM should auto load. If they do not then, LDAP on this server is not configured for SSL. Even if they do auto load, you still need to verify LDAP over SSL.

    Verify the LDAP server and LDAP group objects exist for Server1

    Check the following attributes on the LDAP Server object.
    General tab - LDAP group is configured.
    SSL/TLS Configuration tab - TLS (SSL) port is 636.
    Disable SSL port is not checked.
    Server Certificate is configured. (This should be configured with one of the certificates like SSL CertificateDNS.)
    Other tab - Verify the ldapConfigVersion attribute value is 8. (eDirectory 8.7.3)
    Other tab - Verify the ldapConfigVersion attribute value is 7. (eDirectory 8.7.1)

    Check the following attributes on the LDAP Group object.
    Server list tab - The LDAP server object is in the LDAP server list.
    Other tab - Make sure the ldapConfigVersion attribute has proper value.For eDir 8.7.1 value should be 7. For eDir 8.7.1.1 value should be 8.
    Other tab - Verify the ldapConfigVersion attribute value is 8. (eDirectory 8.7.3)
    Other tab - Verify the ldapConfigVersion attribute value is 7. (eDirectory 8.7.1)

    Once this configuration is complete, when NLDAP loads it should auto load NTLS and SASL and ports 389 and 636 will show as being bound and listening in TCPCON.

    Verify LDAP is working by following TID# 10066259 - How to test LDAP over SSL

    To assist in LDAP loading or operation, troubleshooting the following can be done to gather information on what the problem may be.

    Obtaining LDAP log file information from a NetWare server.

    Load ConsoleOne and find the LDAP server in the tree you want the log file for. Right click the object and view the properties. Click the Screen Options tab. Select every option except Packet Dump or Decoding. Click the apply button and close. Go to the server console and unload / load NLDAP. This makes sure the trace options are enabled.
    At the server console type the following:
    DSTRACE.NLM
    DSTRACE -ALL +LDAP
    DSTRACE SCREEN ON FILE ON
    Unload NLDAP and then load NLDAP
    DSTRACE FILE OFF

    DSTRACE writes to the SYS:\SYSTEM\DSTRACE.LOG.

    NOTE: If GWIA loads before NLDAP in the Autoexec.ncf then GWIA's Ldap will take the ldap ports. In order for iManager to install correctly, NLDAP must load before GWIA in the Autoexec.ncf.


  3. Verify that Tomcat is loading properly

    Troubleshooting Tomcat consists of loading TOMCAT4 and viewing the logger screen for errors. To stop Tomcat type at the server console TC4STOP. Wait about a minute and then type TOMCAT4. Tomcat will take two to three minutes to complete loading. When done the following line should appear on the Logger screen.

    INFO: JK2: ajp13 listening on /0.0.0.0:9010 If you do not see the ajp13 listening on port 9010 message, then Tomcat is not loading properly or is still in the process of coming up.

    -Verify that you can ping localhost. At the server console type "ping localhost". Tomcat looks at several files when initializing and these files reference https ://localhost:636.

    -Type JAVA -SHOW at the console screen and you should see at least one if not two instances of tomcat running (org.apache.catalina.startup.Bootstrap)

    -Whenever the server certificates have changed, Tomcat will need to have its certificate re-exported. On NetWare 6.5 SP1 the file to re-export the certificate is called TCKEYGEN.NCF, prior to Support Pack 1, TCEDIRINIT.NCF can be used. When these NCF's are run, they export the SSL certificate to the keystore. The certificate file is located at SYS:\admsrv\conf\.keystore. You may want to move the .keystore file out of this directory before entering TCEDIRINT.NCF/TCKEYGEN.NCF to verify a new one is created.

    See TID# 10087091 - Tomcat 4 on NetWare 6.5 will not load for more information on Troubleshooting Tomcat4


  4. Verify that Apache is loading properly

    Verify the Apache Server is running. On NetWare 6.5 it will show up as a screen labeled "Apache 2.0.4x for NetWare". You can also go into TCPCON and verify that ports 80 and 443 are listening. To stop the Apache web server on NetWare 6.5 is AP2WEBDN and then AP2WEBUP.

    If you get a 404 error when trying to access the /nps/servlet/configure page, most likely the INCLUDE statement for the nps-apache.conf file is missing from the Apache configuration file (SYS:\APACHE2\CONF\HTTPD.CONF) Verify there is an INCLUDE statement the same as below.

    Include sys:/tomcat/4/conf/nps-Apache.conf

After verifying the four areas above, the server should be prepared to run iManager.

If a previous iManager install failed, or you are unable to get into iManager after verifing the above, restart the iManager installation using the NetWare 6.5 Products CD or NetWare 6.5SP1a Overlay Prodcuts CD.

Before starting the install, rename the following files on the server

Sys:\ni\data\ni.log
Sys:\ni\data\nioutput.txt

If there are issues during the installation, the errors will be captured in these files.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell