This document (10090732) is provided subject to the disclaimer at the end of this document.
goal
Troubleshooting iManager 2.0.2 and greater on NetWare 6.5
fact
Novell NetWare 6.5
Novell eDirectory 8.7.3 for All Platforms
Novell iManager 2
symptom
Unable to access iManager at https ://ipaddress/nps/iManager.html
Unable to access iManager
fix
For iManager to install and work properly, the following items must be functioning on the server
1. SSL (Server Certificates)
2. LDAP over SSL
3. Tomcat
4. Apache
For the following information, the server name of "Server1" is assumed and resides in the context O=Novell.
1. Check for Server Certificates
In ConsoleOne verify the following certificate objects exist in the same context as Server1.
SAS Service - Server1
SSL CertificateIP - Server1
SSL CertificateDNS - Server1
If these objects do not exist, download PKIDIAG.NLM and run PKIDIAG with options 4 then 0 to automatically recreate them.
If these objects do exist, run PKIDIAG.NLM with options 4 then 0 to verify the configuration of these objects.
Note: PKIDIAG writes to the log file SYS:\ETC\Certserv\REPAIR.LOG You may check this log file for any unresolved errors.
For testing purposes, you may also attempt to create a new certificate for Server1. Do this in ConsoleOne by creating a new object of type NDSPKI:Key Material in the same context as Server1 and specifying Server1 as the server for this certificate. If this is successful then the tree CA (Certificate Authority) is functioning. Once created, do a validation check on the SSL Certificate created. In ConsoleOne select the Properties of the objects. On the Certificate tab select the Validate button to validate the certificate. Do this for the Trusted Root certificate and Public Key certificate for this object.
If the creation of a new Certificate fails then there may be tree CA issues that need to be resolved/investigated.
2. LDAP over SSL
To determine if LDAP over SSL is configured or working, at the server console unload NLDAP.NLM and load NLDAP.NLM. The modules NTLS.NLM and SASL.NLM should auto load. If they do not then, LDAP on this server is not configured for SSL. Even if they do auto load, you still need to verify LDAP over SSL.
Verify the LDAP server and LDAP group objects exist for Server1
Check the following attributes on the LDAP Server object.
General tab - LDAP group is configured.
SSL/TLS Configuration tab - TLS (SSL) port is 636.
Disable SSL port is not checked.
Server Certificate is configured. (This should be configured with one of the certificates like SSL CertificateDNS.)
Other tab - Verify the ldapConfigVersion attribute value is 8. (eDirectory 8.7.3)
Other tab - Verify the ldapConfigVersion attribute value is 7. (eDirectory 8.7.1)
Check the following attributes on the LDAP Group object.
Server list tab - The LDAP server object is in the LDAP server list.
Other tab - Make sure the ldapConfigVersion attribute has proper value.For eDir 8.7.1 value should be 7.For eDir 8.7.1.1 value should be 8.
Other tab - Verify the ldapConfigVersion attribute value is 8. (eDirectory 8.7.3)
Other tab - Verify the ldapConfigVersion attribute value is 7. (eDirectory 8.7.1)
Once this configuration is complete, when NLDAP loads it should auto load NTLS and SASL and ports 389 and 636 will show as being bound and listening in TCPCON.
Verify LDAP is working by following TID# 10066259 - How to test LDAP over SSL
To assist in LDAP loading or operation, troubleshooting the following can be done to gather information on what the problem may be.
Obtaining LDAP log file information from a NetWare server.
Load ConsoleOne and find the LDAP server in the tree you want the log file for. Right click the object and view the properties. Click the Screen Options tab. Select every option except Packet Dump or Decoding. Click the apply button and close. Go to the server console and unload / load NLDAP. This makes sure the trace options are enabled.
At the server console type the following:
DSTRACE.NLM
DSTRACE -ALL +LDAP
DSTRACE SCREEN ON FILE ON
Unload NLDAP and then load NLDAP
DSTRACE FILE OFF
DSTRACE writes to the SYS:\SYSTEM\DSTRACE.LOG.
NOTE: If GWIA loads before NLDAP in the Autoexec.ncf then GWIA's Ldap will take the ldap ports. In order for iManager to install correctly, NLDAP must load before GWIA in the Autoexec.ncf.
3. Verify that Tomcat is loading properly
Troubleshooting Tomcat consists of loading TOMCAT4 and viewing the logger screen for errors. To stop Tomcat type at the server console TC4STOP. Wait about a minute and then type TOMCAT4. Tomcat will take two to three minutes to complete loading. When done the following line should appear on the Logger screen.
INFO: JK2: ajp13 listening on /0.0.0.0:9010
If you do not see the ajp13 listening on port 9010 message, then Tomcat is not loading properly or is still in the process of coming up.
-Verify that you can ping localhost. At the server console type "ping localhost". Tomcat looks at several files when initializing and these files reference https ://localhost:636.
-Type JAVA -SHOW at the console screen and you should see at least one if not two instances of tomcat running (org.apache.catalina.startup.Bootstrap)
-Whenever the server certificates have changed, Tomcat will need to have its certificate re-exported. On NetWare 6.5 SP1 the file to re-export the certificate is called TCKEYGEN.NCF, prior to Support Pack 1, TCEDIRINIT.NCF can be used. When these NCF's are run, they export the SSL certificate to the keystore. The certificate file is located at SYS:\admsrv\conf\.keystore. You may want to move the .keystore file out of this directory before entering TCEDIRINT.NCF/TCKEYGEN.NCF to verify a new one is created.
See TID# 10087091 - Tomcat 4 on NetWare 6.5 will not load for more information on Troubleshooting Tomcat4
4. Verify that Apache is loading properly
Verify the Apache Server is running. On NetWare 6.5 it will show up as a screen labeled "Apache 2.0.4x for NetWare". You can also go into TCPCON and verify that ports 80 and 443 are listening. To stop the Apache web server on NetWare 6.5 is AP2WEBDN and then AP2WEBUP.
If you get a 404 error when trying to access the /nps/servlet/configure page, most likely the INCLUDE statement for the nps-apache.conf file is missing from the Apache configuration file (SYS:\APACHE2\CONF\HTTPD.CONF) Verify there is an INCLUDE statement the same as below.
Include sys:/tomcat/4/conf/nps-Apache.conf
Another reason that you may get a 404 error when trying to access the iManager URL is because there are listen statements in the sys:/adminsrv/conf/adminsrv.conf file:
In this file you will look for the following comment, you must make sure that your IP address are correct in this file, also make sure that in this file your server name is correct throughout the file:
# NetWare Web Manager config starts
Listen ServerIPAddess:2211
SecureListen ServerIPAdress:2200 "SSL CertificateDNS"
# Listen ServerIPAddress:2200
LoadModule headers_module modules/headers.nlm
Header set Cache-Control: no-cache
<VirtualHost ServerIPAddress:2200>
***Also you must make sure that NILE.NLM is listed in the AUTOEXEC.NCF, if not edit the file to load it there (you can list it after BSTART), then reboot the server.
.
After verifying the 4 areas above, the server should be prepared to run iManager.
If a previous iManager install failed, or you are unable to get into iManager after verifing the above, restart the iManager installation using the NetWare 6.5 Products CD or NetWare 6.5SP1a Overlay Prodcuts CD.
Before starting the install, rename the following files on the server
Sys:\ni\data\ni.log
Sys:\ni\data\nioutput.txt
If there are issues during the installation, the errors will be captured in these files.
note
If you would like to view a presentation of this solution you can go to the iManager TroubleShooting Guide
document
| Document Title: | Troubleshooting iManager 2.0.2 and greater on NetWare 6.5 |
| Document ID: | 10090732 |
| Solution ID: | NOVL95069 |
| Creation Date: | 28Jan2004 |
| Modified Date: | 22Aug2006 |
| Novell Product Class: | Beta
Management Products
NetWare
Novell eDirectory |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.