Environment
- NetIQ Access Manager
- NetIQ Access manager admin console
Situation
- All Novell Access Manager (NAM) services stopped working at a specific date.
- The Health status from within iManager for all configured devices returns:"Server is not reporting"
- running the: "/etc/init.d/novell-jcc status"init script for the configured devices returns:"unused"
- restarting the JCC client "/etc/init.d/novell-jcc start" service fails on all devices
Resolution
- This issue has been addressed with any post Novell Access Manager 3.0 Service Pack 4 release
- In order to fix the JCC certificate expire problem
- OS platforms hosting NAM services need to be set back to 15 days before the JCC certificates expire
(disable NTP to avoid the time will automatically be re-adjusted) - Novell Access Manager Service Pack 4 needs to be installed on all devices beginning at the Access Manager Console Server (AC)
- restart the Access Manager Console service ("etc/init.d/novell-tomcat restart") and wait for about 30 minutes
- Set the time and date back to current
- restart all devices
- It is as well possible to fix the JCC Access Manager Console Java keystore (JKS) manually
- the AC JCC keystore file is located at: "/var/opt/novell/novlwww/devman.keystore"
- the required password can be found by running:
"grep devman /opt/novell/nam/adminconsole/conf/server.xml"
<Connector NIDP_Name="devman" port="8444" maxThreads="200" minSpareThreads="5" enableLookups="false" acceptCount="100" scheme="https" secure="true" disableUploadTimeout="true" URIEncoding="utf-8" clientAuth="true" sslProtocol="TLSv1.2" sslImplementationName="com.novell.socket.DevManSSLImplementation" keystoreFile="/var/opt/novell/novlwww/devman.keystore" keystorePass="705DAC262E019DEB" SSLEnabled="true" address="147.2.92.100" sslEnabledProtocols="SSLv2Hello,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256" /> - use iManager => Admin => Manage Tasks => Certificate Access => Server Certificates and create a new Custom Certificate called for example "devman-custom"
- Organizational certificate authority
- Key type: Unspecified
- Disable "Enable extended key usage"
- subject "cn=[hostname].ou=accessManager.o=novell".
Example: "CN=nam40.OU=accessManager.O=novell" - delete any Subject Alternative Name
- SHA256
- Validity period Maximum
- export the new certificate (including private key) into a PKCS#12
- create a backup copy of the existing "devman.keystore"
- in order to edit the "devman.keystore" file with the Keytull UI you have to add the file extension JKS
(Example: devman.keystore.jks) - rename the alias name from "tomcat" to "tomcatold"
- import the exported PKCS#12 envelope created with iManager into the "devman.keystore" and assign the alias name "tomcat" to it
- copy the new "devman.keystore" back the ""/var/opt/novell/novlwww/" directory and restart the Access Manager console ("/etc/init.d/novell-tomcat restart)
Additional Information
Troubleshooting
- Review the "/opt/novell/devman/jcc/logs/jcc-0.log.0" and check if it contains the following error:
-------------------------------------------------------------------------------------------------------------------------------------------------
Mar 19, 2009 1:53:12 PM com.novell.jcc.util.JCCUtils logSevere
SEVERE: AM#100702009: Error sending alert ID#: 1 from idp-8BD356ED07F074CF to 192.168.1.13
com.novell.jcc.client.AlertDispatcher$_A$_B run
java.security.cert.CertificateExpiredException: NotAfter: Wed Feb 18 16:06:57 GMT 2009
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateExpiredException: NotAfter: Wed Feb 18 16:06:57 GMT 2009
------------------------------------------------------------------------------------------------------------------------------------------------- - Use the following OpenSSL command to review the provided certificate:
echo | openssl s_client -connect 10.2.92.100:8444 2>/dev/null | openssl x509 -noout -issuer -subject -dates
issuer= /OU=Organizational CA/O=nam40_tree
subject= /CN=nam40/OU=accessManager/O=novell
notBefore=Oct 23 12:30:00 2019 GMT
notAfter=Feb 3 23:58:00 2036 GMT
Tools
- iManager with Certificate Server snap-in (installed with recent versions of NAM)
- KeytoolUI or KeySore Explorer in order to edit a JAVA Key Sore (JKS)
- OpenSSL s_client in order to review certificates provided during the SSL handshake
- Device Manager Service (devman) is listening on port "8444" on the Access Manager Console
- The JCC Service on each node listens on port 1443
- JCC runs SSL Mutual Authentication which means whoever initiates the communication channel as a client will be requested to provide a certificate