Environment
NetIQ Access Manager 3.1.5
NetIQ Access Manager 3.2.1
SUSE Linux Enterprise Server 11 Service Pack 1
SUSE Linux Enterprise Server 11 Service Pack 2
SUSE Linux Enterprise Server 11 Service Pack 1
SUSE Linux Enterprise Server 11 Service Pack 2
Situation
- SSLVPN stunnel service / binary does not start:
- after applying latest SLES11SP1 patches through the official update channel.
- on a fresh SLES11SP2 installation
- after applying libopenssl0_9_8-0.9.8j-0.44.1 tunnel service will not load properly.
- Starting SSLVPN returns the following:
SSL VPN Service has been stopped.
Starting SSL VPN Service ......
stunnel: pthread_mutex_lock.c:62: __pthread_mutex_lock: Assertion `mutex->__data.__owner == 0' failed.
SOCKD is running
SOCKD is registered
STUNNEL is not running
OPENVPN is running
Resolution
- a new version compiled to OpenSSL 0.9.8j:
stunnel 4.20 on i686-suse-linux with OpenSSL 0.9.8j-fips 07 Jan 2009
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4
has been included with "NetIQ Access Manager 3.2 Support Pack 1 Interim Release 1a 3.2.1-201" - For NetIQ Access Manager 3.2.1
- download and install: "NetIQ Access Manager 3.2 Support Pack 1 Interim Release 1a 3.2.1-201"
- For Novell Access Manager 3.1.5
- download "NetIQ Access Manager 3.2 Support Pack 1 Interim Release 1a 3.2.1-201"
- copy the patch to your workstation
- Unpack the AM_32_SP1_IR1a.zip archive: "unzip AM_32_SP1_IR1a.zip"
- Change into the new directory: "cd AM_32_SP1_IR1a"
- The AM_32_SP1_IR1a_201.patch is a zip file which can be extracted
(AM_32_SP1_IR1a_201.patch: Zip archive data, at least v2.0 to extract)
run: "unzip AM_32_SP1_IR1a_201.patch" - The new stunnel version can be found in the subdirectory : "Linux/opt/novell/sslvpn/bin"
- Create a backup of the existing stunnel binary at your sslvpn server:
"cp /opt/novell/sslvpn/bin/stunnel /opt/novell/sslvpn/bin/stunnel.old" - Copy the new stunnel binary over to your SSLVPN server
- restart your SSLVPN server
Note: Novell Access Manager Service Pack 5 should have included the fix as well but it in fact the fix did not make it into SP5. The statemen in the SP5 readme is wrong
Cause
- stunnel version shipped with Novell Access Manager 3.1.5 and NetIQ Access Manager 3.2.1
stunnel 4.20 on i686-suse-linux with OpenSSL 0.9.8a 11 Oct 2005
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv4
has not been compiled to run with libopenssl0_9_8-0.9.8j-0.44.1