Various authentication problems with iManager, openwbem, CIMOM, LUM or LDAP, etc

  • 7011790
  • 15-Feb-2013
  • 15-Feb-2013

Environment

Novell Open Enterprise Server 11 (OES 11) Linux
Novell Open Enterprise Server 2 (OES 2) Linux
NetIQ eDirectory
NetIQ iManager

Situation

Storage, Archive Versioning, File Protocols and Clustering Plug-Ins for iManager fail

Errors may occur in one or more of the following places
  • iManager
    • This user does not have the correct credentials to authenticate to the CIMOM client
    • Error: File Protocol error occurred: cannot open the NCS version file on the selected cluster. The Cluster software may not currently be running on this server.
    • Error: File Protocol error occurred: cannot open the NSS version file on the selected server. The NSS software may not currently be running on this server.
  • iManager debug log
    • NSSAdminPluginClient constructor - CIM Exception: CIM_ERR_ACCESS_DENIED
    • Exception caught trying CIMOM protocol: 30602
    • *** NSSServer - NSSClientException caught in GetFile(Manage_NSS/Module/NSS.xml):com.novell.ns
  • openwbem/owicimomd debug log
    • /usr/sbin/namcd[00000]:  cert_callback: ldapssl_get_cert_attribute status 10
    • /usr/sbin/namcd[00000]:  param_errmsg: Unknown error returned reading configuration parameter: alternative-ldap-server-list
The troubleshooting steps in the following, and similar, TIDs have been tried without success:
Server certificates (KMO) had recently expired or become corrupt and been recreated

Resolution

Ensure that LDAP is using the correct certificate:
  1. iManager -> LDAP -> LDAP Options -> View LDAP Servers -> MyServer -> Connections -> Server Certificate
  2. iManager -> LDAP -> LDAP Options -> View LDAP Servers -> MyServer -> Information - > Refresh
It may be necessary to force LDAP to recognise the new certificates.  If the dialogue in Step 1, above, is already populated (e.g. SSL CertificateDNS) then select an alternative certificate (e.g. SSL CertificateIP), Apply and Refresh (Step 2) and then change it back.

Cause

LDAP had not picked up a recently recreated certificate.