Environment
Novell Identity Manager 3.6.1
Novell Roles Based Provisioning Module 3.7
Novell Roles Based Provisioning Module 3.7
Situation
Trying to start a workflow from an IDM driver fails with error code -9194. Complete error stack:
DirXML Log Event -------------------
Driver: \NTSLAB078-TREE\NTS\Services\DriverSet\DupIssue
Channel: Subscriber
Status: Error
Message: Code(-9194) Error in vnd.nds.stream://NTSLAB078-TREE/NTS/Services/DriverSet/DupIssue/Subscriber/Initiate+workflow#XmlData:182 : Couldn't start workflow 'cn=LabUserAccountEntitlement,cn=RequestDefs,cn=AppConfig,cn=UserApplication,cn=DriverSet,ou=services,o=nts' for recipient 'CN=testuser001,ou=users,o=nts': java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
DirXML Log Event -------------------
Driver: \NTSLAB078-TREE\NTS\Services\DriverSet\DupIssue
Channel: Subscriber
Status: Error
Message: Code(-9194) Error in vnd.nds.stream://NTSLAB078-TREE/NTS/Services/DriverSet/DupIssue/Subscriber/Initiate+workflow#XmlData:182 : Couldn't start workflow 'cn=LabUserAccountEntitlement,cn=RequestDefs,cn=AppConfig,cn=UserApplication,cn=DriverSet,ou=services,o=nts' for recipient 'CN=testuser001,ou=users,o=nts': java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Resolution
Key issue here is pointed by the error "unable to find valid certification path to requested target". This indicates that RBPM is running with an URL like https://nts078.lab.novell.com:8080/IDMProv (using SSL over HTTP) and that the Java Virtual Machine used by IDM does not have the trusted root certificate necessary to accept the server's certificate.
First step to solve this issue is to export the trusted root certificate from the Certificate Authority that signed the server's SSL certificate. Next we need to import the certificate into IDM's JVM keystore. To perform the import we can use the Java tool 'keytool'. On the example commands below replace the text "/path_to_certificate/trusted_root_certificate_file" by the actual filesystem path and name of the .pem or .b64 file with the trusted root certificate.
On x32 bits Linux the command would be:
/opt/novell/eDirectory/lib/nds-modules/jre/bin/keytool -importcert -file /path_to_certificate/trusted_root_certificate_file -keystore /opt/novell/eDirectory/lib/nds-modules/jre/lib/security/cacerts -storepass changeit
On x64 bits Linux the command would be:
/opt/novell/eDirectory/lib64/nds-modules/jre/bin/keytool -importcert -file /path_to_certificate/trusted_root_certificate_file -keystore /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts -storepass changeit
On Windows 2008/2008R2 the command would be:
C:\Novell\NDS\jre\bin\keytool.exe -importcert -file C:\path_to_certificate\trusted_root_certificate_file -keystore C:\Novell\NDS\jre\lib\security\cacerts -storepass changeit
Of course if eDirectory is not in the default locations, the paths above need to be adjusted according to the eDirectory's location.
After importing the certificate in the correct keystore, eDirectory needs to be restarted for the change to have effect.
First step to solve this issue is to export the trusted root certificate from the Certificate Authority that signed the server's SSL certificate. Next we need to import the certificate into IDM's JVM keystore. To perform the import we can use the Java tool 'keytool'. On the example commands below replace the text "/path_to_certificate/trusted_root_certificate_file" by the actual filesystem path and name of the .pem or .b64 file with the trusted root certificate.
On x32 bits Linux the command would be:
/opt/novell/eDirectory/lib/nds-modules/jre/bin/keytool -importcert -file /path_to_certificate/trusted_root_certificate_file -keystore /opt/novell/eDirectory/lib/nds-modules/jre/lib/security/cacerts -storepass changeit
On x64 bits Linux the command would be:
/opt/novell/eDirectory/lib64/nds-modules/jre/bin/keytool -importcert -file /path_to_certificate/trusted_root_certificate_file -keystore /opt/novell/eDirectory/lib64/nds-modules/jre/lib/security/cacerts -storepass changeit
On Windows 2008/2008R2 the command would be:
C:\Novell\NDS\jre\bin\keytool.exe -importcert -file C:\path_to_certificate\trusted_root_certificate_file -keystore C:\Novell\NDS\jre\lib\security\cacerts -storepass changeit
Of course if eDirectory is not in the default locations, the paths above need to be adjusted according to the eDirectory's location.
After importing the certificate in the correct keystore, eDirectory needs to be restarted for the change to have effect.