Environment
Novell ZENworks 10 Configuration Management with Support Pack 3 - 10.3
Situation
Unable to authenticate to Satellite server.
Although the Satellite is listed first for closest server (zac zc -l to list), the logs show that it is not being used.
From zmd-messages.log (debug enabled):
[DEBUG] [05/03/2010 16:52:35.093] [492] [ZenworksWindowsService] [8] [] [CertManager.SubjectIsHost] [] [Found certs for host satellite.novell.com.com] [] []
[DEBUG] [05/03/2010 16:52:35.093] [492] [ZenworksWindowsService] [8] [] [CertManager.SubjectIsHost] [] [Subject in certificate is : CN=SATELLITE., OU=ZENworks Authentication Server, O=ZENworks Configuration Management] [] []
[DEBUG] [05/03/2010 16:52:35.093] [492] [ZenworksWindowsService] [8] [] [RemotingService] [] [Filtered zone config list is:] [] []
[DEBUG] [05/03/2010 16:52:35.093] [492] [ZenworksWindowsService] [8] [] [CertManager.SubjectIsHost] [] [Subject in certificate is : CN=SATELLITE., OU=ZENworks Authentication Server, O=ZENworks Configuration Management] [] []
[DEBUG] [05/03/2010 16:52:35.093] [492] [ZenworksWindowsService] [8] [] [RemotingService] [] [Filtered zone config list is:] [] []
[DEBUG] [05/03/2010 16:52:35.093] [492] [ZenworksWindowsService] [8] [] [RemotingService] [] [ https://primaryserver.novell.com:443/ ] [] []
Note that the filtered list does not include the satellite.
CasaAuthToken.log shows only the primary or other satellites being used:
[1EC-338] [16:52:35] CASA_AuthToken -ObtainAuthTokenFromServer- Hostname = primaryserver.novell.com
Resolution
Note: This applies to Satellites using self-signed certificates only.
- To confirm the certificate, use the url (substitute proper satellite fqdn and port): https://satellite.novell.com:443/CasaAuthTokenSvc.
- If the browser generates a certificate error, inspect the certificate to determine whether it has the appropriate Fully Qualified Domain Name (FQDN).
- If the certificate has only the short name (for example satellite instead of satellite.novell.com and it was self signed (no external certificate), then it must be re-minted.
For Windows:
To re-mint the certificate with appropriate name:
- Confirm that the Windows device Control Panel > System > Computer Name > Change Computer Name > More >Primary Dns Suffix is correct.
- Run zac asr to reset satellite service
or
Demote (remove the Authentication role) from the satellite device ZCC > Configuration > Server Hierarchy .
Refresh the device with Z Icon so that the role is removed.
Promote (add the Authentication role) the device again. - Verify that the certificate is correct, and that the agent logging in shows it in the filtered device list in zmd-messages.log .
Additional Information
If for some reason the Primary DNS Suffix can't be set, an alternative:
- Demote the device per the steps above.
- Create a text file %ZENWORKS_HOME%/conf/jettyconfig.xml with the following contents (substitute the proper fqdn of the satellite):
<?xml version="1.0"?>
<JettyConfigInfo xmlns:xsi=" http://www.w3.org/2001/XMLSchema-instance " xmlns:xsd=" http://www.w3.org/2001/XMLSchema ">
<DName>cn=satellite.novell.com,ou=ZENworks Authentication Server,o=ZENworks Configuration Management</DName>
</JettyConfigInfo> - Promote the device per the steps above and test the certificate.