Troubleshooting Certificates for Remote Loaders
Novell Cool Solutions: Tip
By Bruno Guay
Digg This -
Posted: 17 Feb 2005
On a client's internal network, while installing NSure Identity Manager 2.01 remote loaders on several application platforms, the AD remote loader couldn't open an SSL connection with the NIM2 server. The error message was "SSL3_READ_BYTES:sslv3 alert bad certificate". This error means the client application cannot verify the certificate of the CA authority that signed the NIM2 server certificate.
The NIM2 server certificate was signed by a local CA authority. This CA certificate was signed by the client's root CA (MS Active Directory). The same CA certificate was used with the JDBC and Unix remote loaders without any problem.
A test was done using a new server certificate signed by the eDirectory root CA on the NIM2 server. This worked without a problem. It seemed like the AD remote loader checked the entire certification chain and wanted the root CA certificate. We tested this by modifying the configuration so the loader used the client's root CA certificate. This solved the problem.
However, when we similarly modified the configurations for the Unix and the JDBC remote loaders, those drivers wouldn't connect any more.
Use the root CA certificate for the AD remote loader - it will not accept an intermediary CA.
For other remote loaders, use the certificate of the CA authority that was used to sign the server certificate.
Note: I would recommend that all remote loaders implement the SSL certificate verification in the same way. This would prevent confusion.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com