Environment
- NetIQ Access Manager 4.3
- NetIQ Access Manager Appliance 4.3
- NetIQ Access Manager Access Gateway Appliance 4.3
Situation
- Access Gateway Appliance / NAM Appliance has been upgraded to NAM 4.3
- Access Gateway reports :
Server error!
The server encountered an internal error and was unable to complete your request.
Error message:
The proxy server could not handle the request GET [pathname].
Reason: Error during SSL Handshake with remote server - The requested proxy server has been configured to run SSL with the protected back-end web server
- Server Certificate validation has been enabled: "Web Server Trusted Root: Any in Reverse Proxy Trust Store"
- No configuration change has been applied after running the upgrade to NAM 4.3
- All required CA Certificates are available in the Proxy Trust Store
- setting the "LogLevel error" in the Access gateway Advanced options will report the following error:
"[error] Certificate Verification: Error (20): unable to get local issuer certificate" - reviewing the device manager logfiles at: "/opt/novell/devman/jcc/logs/" the following error has been found:
=====================================================================================
/opt/novell/devman/jcc/logs/jcc-0.log.0:INFO: Executing /opt/novell/ssllib/bin/c_rehash /opt/novell/apache2/cacerts
/opt/novell/devman/jcc/logs/jcc-0.log.0:Cannot run program "/opt/novell/ssllib/bin/c_rehash" (in directory "/"): error=2, No such file or directory
/opt/novell/devman/jcc/logs/jcc-0.log.0:java.io.IOException: Cannot run program "/opt/novell/ssllib/bin/c_rehash" (in directory "/"): error=2, No such file or directory
/opt/novell/devman/jcc/logs/jcc-0.log.0:java.io.IOException: Cannot run program "/opt/novell/ssllib/bin/c_rehash" (in directory "/"): error=2, No such file or directory
/opt/novell/devman/jcc/logs/jcc-0.log.0:java.io.IOException: Cannot run program "/opt/novell/ssllib/bin/c_rehash" (in directory "/"): error=2, No such file or directory
=====================================================================================
Resolution
- This issue has been reported to engineering
- Workaround:
- create the "/opt/novell/ssllib/bin/" directory
- create the following "c_rehash" and place it into the "/opt/novell/ssllib/bin/" directory
=======================================================
#!/bin/sh
# print out the hash values
#
# based on /etc/pki/tls/misc/c_hash part of the openssl-1.0.0
#
export OPENSSL_CONF=/opt/novell/openssl/ssl/openssl.cnf
export LD_LIBRARY_PATH=/opt/novell/openssl/lib
w="WellKnownThirdPartyTrustedRoots_auto.pem"
die () {
echo >&2 "$@"
exit 1
}
#[ "$#" -eq 1 ] || die "One directory argument required, $# provided"
#[ -d "$1" ] || die "Directory $1 does not exist"
cd /opt/novell/apache2/cacerts
printf "removing all old hash files \n"
rm *.0 -v
printf "creating new hash files \n"
for i in $(ls *.pem);
do
printf "$i \n"
h=`/opt/novell/openssl/bin/openssl x509 -hash -noout -in $i`
if [ "$i" != "$w" ]; then
ln -svf $i $h.0;
#echo "$h.0 => $i
fi
done
======================================================= - flag the script executable: chmod 755 c_reshash
- execute the script
- restart the Access Gateway
Cause
Apache uses certificate hash files which do not get created due to the missing "/opt/novell/ssllib/bin/c_rehash" script