Environment
Products:
Novell iManager 2.5
Novell iManager 2.6
Novell iManager 2.7
Configuration:
Installed FreeRadius NPMs.
Novell iManager 2.5
Novell iManager 2.6
Novell iManager 2.7
Configuration:
Installed FreeRadius NPMs.
Situation
Logged into Novell iManager as admin user of the tree, but
FreeRadius Schema extension fails with the RADIUS.npm
(FreeRadius) with the error "Creating secure SSL LDAP context failed: Connect Error".
and contains details:
java.lang.Exception\n at com.novell.nps.radius.ExtendRadiusSchema.showInitialForm(ExtendRadiusSchema.java:185)\n at com.novell.nps.radius.ExtendRadiusSchema.execute(ExtendRadiusSchema.java:96)\n at com.novell.emframe.dev.Task.execute(Task.java:505)\n at com.novell.nps.gadgetManager.BaseGadgetInstance.processRequest(BaseGadgetInstance.java:858)\n at com.novell.nps.gadgetManager.GadgetManager.delegateToGadget(GadgetManager.java:4253)\n at com.novell.nps.gadgetManager.LaunchService.onDelegateAction(LaunchService.java:86)\n at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)\n at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n at java.lang.reflect.Method.invoke(Method.java:618)\n at com.novell.nps.gadgetManager.BaseGadgetInstance.handleAction(BaseGadgetInstance.java:2371)\n at com.novell.nps.gadgetManager.GadgetManager.processInstanceRequest(GadgetManager.java:1606)\n at com.novell.nps.gadgetManager.GadgetManager.processServiceRequest(GadgetManager.java:1062)\n at com.novell.nps.PortalServlet.handleFrameService(PortalServlet.java:505)\n at com.novell.nps.PortalServlet.processRequest(PortalServlet.java:373)\n at com.novell.nps.PortalServlet.doPost(PortalServlet.java:279)\n at com.novell.nps.PortalServlet.doGet(PortalServlet.java:262)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)\n at com.novell.emframe.fw.servlet.AuthenticatorServlet.service(AuthenticatorServlet.java:332)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)\n at com.novell.emframe.fw.filter.CrossScriptingFilter.doFilter(CrossScriptingFilter.java:25)\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)\n at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)\n at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)\n at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)\n at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:196)\n at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:150)\n at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)\n at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)\n at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)\n at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)\n at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118)\n at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)\n at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)\n at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)\n at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)\n at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)\n at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)\n at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:162)\n at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:300)\n at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:382)\n at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:746)\n at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:675)\n at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:869)\n at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)\n at java.lang.Thread.run(Thread.java:811)\n
LDAP traces from the Novell eDirectory server where the schema is to be extended show the following error messages:
ERROR:TLS accept failure 1 on connection 0x######, setting err = -5875.
ERROR: Error stack: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown -
ERROR: SSL alert number 46 TLS handshake failed on connection 0x######, err = -5875
LDAP server is listening on the SSL port (636, by default) and is able to respond to SSL requests with the Trusted Root certificate export of the KMO object associated.
Problem is seen with all FreeRadius tasks.
and contains details:
java.lang.Exception\n at com.novell.nps.radius.ExtendRadiusSchema.showInitialForm(ExtendRadiusSchema.java:185)\n at com.novell.nps.radius.ExtendRadiusSchema.execute(ExtendRadiusSchema.java:96)\n at com.novell.emframe.dev.Task.execute(Task.java:505)\n at com.novell.nps.gadgetManager.BaseGadgetInstance.processRequest(BaseGadgetInstance.java:858)\n at com.novell.nps.gadgetManager.GadgetManager.delegateToGadget(GadgetManager.java:4253)\n at com.novell.nps.gadgetManager.LaunchService.onDelegateAction(LaunchService.java:86)\n at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)\n at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)\n at java.lang.reflect.Method.invoke(Method.java:618)\n at com.novell.nps.gadgetManager.BaseGadgetInstance.handleAction(BaseGadgetInstance.java:2371)\n at com.novell.nps.gadgetManager.GadgetManager.processInstanceRequest(GadgetManager.java:1606)\n at com.novell.nps.gadgetManager.GadgetManager.processServiceRequest(GadgetManager.java:1062)\n at com.novell.nps.PortalServlet.handleFrameService(PortalServlet.java:505)\n at com.novell.nps.PortalServlet.processRequest(PortalServlet.java:373)\n at com.novell.nps.PortalServlet.doPost(PortalServlet.java:279)\n at com.novell.nps.PortalServlet.doGet(PortalServlet.java:262)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:743)\n at com.novell.emframe.fw.servlet.AuthenticatorServlet.service(AuthenticatorServlet.java:332)\n at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)\n at com.novell.emframe.fw.filter.CrossScriptingFilter.doFilter(CrossScriptingFilter.java:25)\n at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)\n at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)\n at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)\n at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)\n at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)\n at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:196)\n at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:150)\n at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)\n at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)\n at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)\n at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)\n at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118)\n at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)\n at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)\n at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)\n at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)\n at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)\n at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)\n at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:162)\n at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:300)\n at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:382)\n at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:746)\n at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:675)\n at org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:869)\n at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)\n at java.lang.Thread.run(Thread.java:811)\n
LDAP traces from the Novell eDirectory server where the schema is to be extended show the following error messages:
ERROR:TLS accept failure 1 on connection 0x######, setting err = -5875.
ERROR: Error stack: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown -
ERROR: SSL alert number 46 TLS handshake failed on connection 0x######, err = -5875
LDAP server is listening on the SSL port (636, by default) and is able to respond to SSL requests with the Trusted Root certificate export of the KMO object associated.
Problem is seen with all FreeRadius tasks.
Resolution
When a user first logs into iManager, it makes a NDAP connection to
eDirectory. Using that NDAP connection it retrieves the CA cert
from the Security container and automatically imports this self
signed trusted root certificate into the iManager specific keystore
(iMKS).The problem is that the FreeRadius iManager plugin does not use the
default iManager keystore (iMKS) for SSL authentication, but just
uses the System's Java keystore (cacerts). This is a bug and has
been reported to engineering.
To make SSL authentications work with the FreeRadius plugin, manually export the Trusted Root Certificate of the LDAP server (public key, DER format) and import it into the Java keystore using the "keytool" utility as follows:
In order to find out which keystore is used by iManager the following command can be executed:
1. keytool -import -fileyourcertificate.der -keystore path to keystore/cacerts
2. password: changeit
3. Trust this certificate? [no]: yes
4. Log out of iManager and restart Tomcat
The FreeRadius tasks should work OK now.
To make SSL authentications work with the FreeRadius plugin, manually export the Trusted Root Certificate of the LDAP server (public key, DER format) and import it into the Java keystore using the "keytool" utility as follows:
In order to find out which keystore is used by iManager the following command can be executed:
1. keytool -import -file
2. password: changeit
3. Trust this certificate? [no]: yes
4. Log out of iManager and restart Tomcat
The FreeRadius tasks should work OK now.
Status
Reported to EngineeringAdditional Information
There are 2 different keystores that may be used by iManager.
1. The default Java keystore is named "cacerts". It is in the JRE/JVM's ...lib\security directory. That would be the JVM used to run tomcat AND/OR the JVM for mobile iManager. Those may be the same or may be different JVMs.
2. There is an iManager specific keystore. The file is in the tomcat directory ...\webapps\nps\WEB-INF\iMKS. This keystore is automatically created and populated by iManger and is only used by iManager.
By default, when iManager goes to create a SSL LDAP connection using the JNDI service provider in the JDK, it tries the default JVM keystore, then if that fails, it tries the iManager specific keystore.
In order to find out which JRE and keystore are used by a Tomcat instance the following commands can be executed:
cat /etc/init.d/novell-tomcat* | grep -i TOMCAT_CFG
This is an example of the expected output:
TOMCAT_CFG="/etc/opt/novell/tomcat7/tomcat7.conf"
cat /etc/opt/novell/tomcat7/tomcat7.conf | grep -i JRE_HOME
This is an example of the expected output:
JRE_HOME="/opt/novell/jdk1.7.0_25/jre"
The keystore into which the certificate has to be imported in must reside within the JRE_HOME.
For example: "/opt/novell/jdk1.7.0_25/jre/lib/security/cacerts"
1. The default Java keystore is named "cacerts". It is in the JRE/JVM's ...lib\security directory. That would be the JVM used to run tomcat AND/OR the JVM for mobile iManager. Those may be the same or may be different JVMs.
2. There is an iManager specific keystore. The file is in the tomcat directory ...\webapps\nps\WEB-INF\iMKS. This keystore is automatically created and populated by iManger and is only used by iManager.
By default, when iManager goes to create a SSL LDAP connection using the JNDI service provider in the JDK, it tries the default JVM keystore, then if that fails, it tries the iManager specific keystore.
In order to find out which JRE and keystore are used by a Tomcat instance the following commands can be executed:
cat /etc/init.d/novell-tomcat* | grep -i TOMCAT_CFG
This is an example of the expected output:
TOMCAT_CFG="/etc/opt/novell/tomcat7/tomcat7.conf"
cat /etc/opt/novell/tomcat7/tomcat7.conf | grep -i JRE_HOME
This is an example of the expected output:
JRE_HOME="/opt/novell/jdk1.7.0_25/jre"
The keystore into which the certificate has to be imported in must reside within the JRE_HOME.
For example: "/opt/novell/jdk1.7.0_25/jre/lib/security/cacerts"