NMAS LDAP TRANSPORT ERROR trying to create universal password in iManager 2.5

(Last modified: 28Jun2005)

This document (10097936) is provided subject to the disclaimer at the end of this document.

fact

LDAP Server is configured with an external certificate. 

Novell iManager 2.5

Novell Open Enterprise Server 1.0 - Linux

symptom

NMAS LDAP TRANSPORT ERROR trying to create universal password in iManager 2.5

Error: Server Configuration Error

DSTRACE/ndstrace with +LDAP and +NMAS reports:

TLS accept failure 1 on connection 0x######, setting err = -5875.

Error stack: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown - SSL alert number 46 TLS handshake failed on connection 0x######, err = -5875

cause

External certificate was added to LDAP server after the installation of OES w/ eDirectory and iManager.  During the installation of iManager, the certificate associated with the LDAP server is automatically imported into the Java runtime keystore. If the certificate associated with the LDAP server is changed it needs to be imported manually into the Java runtime keystore.

fix

Steps to manually import the LDAP server certificate into Java runtime keystore used by tomcat for iManager 2.5
1.  Export the certificate associated with the LDAP server
     a.)   In iManager, click on the view objects button, browse to a select the certificate being used by the LDAP Server.  Select Modify Object
     b.)   Click on the Certificate tab; then select export.
     c.)   Select No - when asked if you want to export the private key with the certificate
     d.)   Select Base64 as the format
     e.)   Click on the link "Save the exported certificate to a file"
     f.)   Save the exported certificate.  Copy the exported certificate file to the server running tomcat for iManager 2.5

2.  Import the certificate into the Java runtime keystore being used by tomcat for iManager 2.5
     a.)  For iManager 2.5 in OES, copy the exported certificate file to /opt/novell/lib/java/jre/lib/security.
     b.)  Copy the existing keystore ---  /opt/novell/lib/java/jre/lib/security# cp cacerts cacerts.org
     c.)  Run following command to import the certificate: 
                 /opt/novell/lib/java/jre/lib/security# keytool -import -file ./cert-filename.b64 -keystore cacerts
                 password:  changeit
                 Trust this certificate: yes

3.  Restart tomcat
     a.)  For OES - Linux: 
           /etc/init.d/novell-tomcat4 stop

            then 

           /etc/init.d/novell-tomcat4 start

document

Document Title: NMAS LDAP TRANSPORT ERROR trying to create universal password in iManager 2.5
Document ID: 10097936
Solution ID: NOVL102374
Creation Date: 09Jun2005
Modified Date: 28Jun2005
Novell Product Class:Management Products

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.