Novell Home

My Favorites

Close

Please to see your favorites.

NAM base url unavailable after certificates expire

This document (7011395) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Access Manager 3.1.4

Situation

When attempting to log into iManager on the primary admin console, the login screen was returned with no error but no login either, just a loop back to the login screen.
After restarting the primary admin console we could login normally and see that default eDirectory server certificates had expired but had been automatically renewed on the restart.
Later the IDP server was restarted and when users attempted to access protected resources, they were redirected to the idp base URL, as expected, but no login was available.

The IDP catalina.out showed

DirAuthenticator...1114 (Error -669) An invalid password was used, authentication failed, one server tried to synchronize with another one but the target server's database was locked, or a problem exists with the remote ID or public key.
DirAuthenticator...1136 Login failed:  admin.novell:  10.17.220.100
SRetryDispatcher retrying:  0
SRetryDispatcher retrying:  1
SRetryDispatcher retrying:  2
SRetryDispatcher retrying:  3


This is an administration console error. This IDP also hosted the secondary AC. The secondary AC was failing to load because the default server certificates had expired and this was preventing the IDP from loading.

Resolution

The secondary AC was on the same box as IDP1. In NAM 3.1, the secondary AC does not automatically renew the certifcates and these expired certificates were causing the AC not to load and then the IDP not to load.
The issue was fixed by connecting a standard version of iManager with certificate plugins to the secondary admin console and repairing default certificates on that secondary AC and then restarting the server.

Cause

On the primary AC, this was not a problem because restarting the AC renewed the certificates automatically.
In NAM 3.1, the secondary AC does not automatically renew the certifcates.
In NAM 3.2, the restarting the secondary AC does automatically renew the default certifcates if they are expired.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7011395
  • Creation Date:19-NOV-12
  • Modified Date:19-NOV-12
    • NetIQAccess Manager (NAM)
      iManager

Did this document solve your problem? Provide Feedback