Can not extend Radius schema: Connect Error

  • 7014640
  • 26-Feb-2014
  • 12-Jun-2019

Environment

Novell eDirectory 8.8 for All Platforms
Novell eDirectory 8.7.3 for All Platforms
iManager 2.7.6
iManager 2.7.7
iManager 3.1.x
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
Novell Open Enterprise Server 2018  (OES 2018) Linux Support Pack 1
Novell Open Enterprise Server 2015 (OES 2015) Linux Support Pack 1
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 2
Novell Open Enterprise Server 11 (OES 11) Linux Support Pack 1
FreeRADIUS

Situation

The Radius plug-in for iManager requires a secure LDAP connection.

When extending free radius schema in iManager the error returned is:
  Created LDAP context failed: 
  Connect Error
  java.lan.Exception\n at com.novell.nps.radius.ExtendRadiusSchema.showInitialForm(ExtendRadiusSchema.java:185)\n

When creating a Radius Profile or Radius User the following error is returned:
java.lang.NullPointerException at com.novell.nps.radius.RadiusSchema.isSchemaValid(RadisuSchema.java:2511)

Resolution

Check that the keystore (cacerts file) is valid and has the correct permissions. (For OES 2018.1 servers, see the OES 2018.1 sub-section below)

First find the JAVA_HOME path 
export |grep -i JAVA_HOME
usually returns something like this:
 /usr/lib64/jvm/jre

The keytool binary will usually be located in
/usr/lib64/jvm/jre/bin/keytool
And the keystore will usually be in the following location with the name of
/usr/lib64/jvm/jre/lib/security/cacerts

Next check the permissions on the cacerts
ls -al /usr/lib64/jvm/jre/lib/security/cacerts
-rwxr-xr-x 1 root root  cacerts*
If the permissions are incorrect change the permissions with command:
chmod 755 /usr/lib64/jvm/jre/lib/security/cacerts

If the cacerts is missing expired because the CA was expired or recreated use the keytool command to generate a new cacerts file.
To verify that the CA is valid see TID 7013047

Once the CA if validated export a certificate from the tree via iManager.  If there is a OES server in the tree use the /etc/opt/novell/certs/SSCert.der
To export a cert with iManager, login to iManager | Novell Certificate Server | Configure Certificate Authority | Select the Certificates tab | Select the Self Signed Certificate tab | Export | Uncheck the "Export private key" option | Verify the Export format is "Der" | Next | Click "Save the exported certificate" link and save to the desired location.

Next, run the keytool command:
keytool -import -alias Alias_Name -file /path_to_exported_cert.der -keystore /path_to_cacerts file
 keytool -import -alias Alias_Name -file /etc/opt/novell/certs/SSCert.der /usr/lib64/jvm/jre/lib/security/cacerts
When prompted for password, type "changeit" and to the question "Trust this certificate?"answer "yes"


OES 2018.1:
Certificate path on OES server: /etc/opt/novell/certs/SSCert.der
keytool path: /usr/lib64/jvm/java-1_8_0-ibm-1.8.0/jre/bin/keytool
java keystore path: /var/lib/ca-certificates/java-cacerts

e.g.
/usr/lib64/jvm/java-1_8_0-ibm-1.8.0/jre/bin/keytool -import -file /etc/opt/novell/certs/SSCert.der -keystore /var/lib/ca-certificates/java-cacerts
rcnovell-tomcat restart

Additional Information

See TID 7002490 for creating the keystore for a workstation version of iManager
or copy a valid keystore (the cacerts file) from a server or another workstation.