Error: "Error in SSL connect; server certificate could not be trusted."

  • 7001714
  • 22-Oct-2008
  • 27-Apr-2012

Environment

Novell Identity Manager Driver - Core Fan Out
Novell Identity Manager Driver - Linux and UNIX - Fan Out
Novell Identity Manager Driver - Mainframe RACF Fan Out
Novell Identity Manager Driver - Mainframe Top Secret Fan Out
Novell Identity Manager Driver - Midrange OS/400 Fan Out
Novell Identity Manager
Fan-out driver

Situation

Error: "Error in SSL connect; server certificate could not be trusted." On SLES 10, with IDM 3.6 shipping a core may happen.

Resolution

Verify the following settings in iManager and the receiver configuration.

In iManager under Core Driver verify that the server where LDAP is running is referenced.

In iManager under Configure iManager plug-ins enter the IP address of server where core driver is running.

In iManager under Platforms: Configure Platforms: <select the platform>: enter the IP address of the platform being used (where the receiver is).

In the asamplat.conf file on the receiver (where you are running the configuration script) verify that the IP address of the core server is specified.

The network address you enter for the Core Driver Configuration, Platform Object and in the asamplat.conf file must be in the same format. Entering a short host name on one, but a FQDN on another may cause this error. This is because the certificate uses the network address entered to get an SSL connection.

If a core is happening, fix the Network addresses and also apply the latest patches for the core driver and platform receivers.

Additional Information

When you run the plat-config script it contacts the core driver to obtain a security certificate. If it cannot trust the driver it connects to it will disconnect and give you the error described. The way it trusts the driver is by looking at its SSL certificate, which contains the network address and decides if it matches. Therefore, the network address list from iManager is applicable. When you add/remove an address you need to restart the driver so it can generate the new certificate and load it up.

Formerly known as TID# 10100241