iFolder 3 install failure using LDAP over SSL

  • 3948161
  • 29-Dec-2006
  • 16-Mar-2012

Environment

Novell iFolder 3.1
Novell Open Enterprise Server (OES) on Linux SP1

Situation

iFolder 3 service fails, and one of the following conditions applies :

  • Customer moved the Certificate Authority to another server, or certificates have expired and been rebuilt.
  • Error installing iFolder 3.1. Error in Y2log after iFolder 3.1 install fails "SIMIAS SERVER SETUP", "", "Failed"
  • Attempting to bind to the LDAP server on port 636 (SSL) fails but 389 works.

Resolution

Remove the invalid certificate from the mono keystore with the Mono Certificate Manager utility. This is done by

  1. List the certs currently in the keystore.At a shell prompt, type :
    certmgr -list -c -m Trust
    The command should print output similar to :
    Mono Certificate Manager - version 1.1.7.0
    Manage X.509 certificates and CRL from stores.
    Copyright 2002, 2003 Motus Technologies. Copyright 2004-2005 Novell. BSD licensed.

    Self-signed X.509 v3 Certificate
    Serial Number: 09010202B56A6E265D7F862E7F1D20CFD33A5AA75678904468650E6F796EE1141C02
    Issuer Name: OU=Organizational CA, O=novell
    Subject Name: OU=Organizational CA, O=novell
    Valid From: 08/27/2005 13:47:34
    Valid Until: 08/27/2015 13:47:34
    Unique Hash: 8CA0157AE10050648EB1234561EC0A4E8BE4BE97
    If the invalid certificate cannot be identified by a "Valid From:" date or a "Valid Until:" date, there is probably a corrupt certificate. It is advised in that case to remove all and re-run the
    /opt/novell/ifolder3/bin/simias-server-setup
    script.
  2. Delete the invalid certificate. At the prompt, type :
    certmgr -del -c -m Trust {the unique hash value of the cert to delete}
  3. Now restart the Apache webserver. In this case, it is to force Mono to be a fresh instance. This is done by :
    /etc/init.d/apache2 stop && /etc/init.d/apache2 start
  4. At that point, it is feasible to either import the new certificate from a file :
    certmgr -add -c -m Trust [CertificateFileName]
    or directly from the ldap server :
    certmgr -ssl ldaps://0.0.0.0:636 -m Trust
  5. Restart the Apache web server again :
    /etc/init.d/apache2 stop && /etc/init.d/apache2 start

Additional Information

Mono was installed prior to the CA move. When iFolder was installed originally, the install contacts the LDAP server and imports a certificate into the Mono keystore. The cert that was originally imported into the keystore was from the original CA and was no longer valid. Re-installing iFolder successfully imported the new certificate from the LDAP server but retained the original"invalid" cert as well. When iFolder attempted to bind to the LDAP server over SSL, it used the first cert to create the SSL handshake and failed.

Formerly known as TID# 10099672