NetIQ Access Manager stopped working after it has been upgraded from 3.2SP2IR2 to 4.0SP1

  • Document ID:7015846
  • Creation Date:30-Oct-2014
  • Modified Date:30-Oct-2014
    • Micro Focus Products:
      Access Manager (NAM)

Environment

  • NetIQ Access Manager 3.2
  • NetIQ Access Manager 4.0
  • NetIQ Access Manager 4.0.1

Situation

  • NetIQ Access Manager has been upgraded from 3.2SP2IR2 to 4.0SP1

  • NIDP server reports:
    Unable to load metadata for Embedded Service Provider: https://esp-emea.corp:443/nesp/idff/metadata, error: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints

  • Access Gateway does not start up anymore

  • Apache reports the error:
    httpd: Syntax error on line 497 of /etc/opt/novell/apache2/conf/httpd.conf: Syntax error on line 22 of /etc/opt/novell/ag/ag_hook.conf: Syntax error on line 6 of /etc/opt/novell/ag/mod_novell_ag.conf: Cannot load /opt/novell/ag/lib/mod_novell_ag.so into server: /opt/novell/ag/lib/mod_novell_ag.so: undefined symbol: ap_get_sb_worker

  • JCC on the Access Gateway reports:
    Oct XX, 2014 10:56:48 PM com.novell.jcc.util.JCCUtils logSevere  SEVERE: AM#100706034: Exception - get key failed com.novell.jcc.cert.CertificateClient getKeyForServiceWithRetry No data getting key: esp-emea_corp in ag-XXXXXXXXXXX-proxy to /opt/novell/apache2/certs com.novell.jcc.JCCException: No data getting key: esp-emea_corp in ag-XXXXXXXXXXX-proxy to /opt/novell/apache2/certs

Resolution

  • modify the "/opt/novell/jdk1.7.0_25/jre/lib/security/java.security" file  commenting out the directive: "jdk.certpath.disabledAlgorithms=MD2" on all devices (NIDP and Access Gateways)
  • restart all devices

Cause

The trust chain of the certificate which has been assigned to the Embedded Service Provider has a Root Certificate which has been signed using the MD2 cipher. With tomcat7 MD2 has been excluded due to its security weakness. MD4 MD5 and SHA-1 are still supported but will be discontinued like MD2 soon. For the future SHA-2 (256Bit) should be used. Certificates with SHA-2 are supported with the latest versions of Access manager. Note: The GUI (iManager) can still not create a signing request for SHA-2 nor properly disaply imported certificates with a SHA-2 hash. This has been already addressed ti engineering