Need help with error on ODSEE 22.214.171.124 trying to setup SSL/Certs
Hello, I am hoping that somebody has run into this issue which has becoming very frustrating to resolve. Prior to the above version was on 126.96.36.199 which had its own set of bugs/issues/complexity but was able to resolve most except for the current issue. Decided to upgrade to 188.8.131.52 and pleasantly surprised not needing CACAO anymore but unfortunately the following issue still remains.
Env: Windows 2008 R2, ODSEE 184.108.40.206, Tomcat 6
Issue Area: Directory Server Instance --> Security Tab --> General Sub tab: Here I see an Warning: "An authentication is required to connect to MySeverName. Click here to enter UserId and Password".
When I click, prompts me for Server Id/pwd with Admin privileges which I provide (including .\administrator account) but all of them fail with the pop-up error message: "An unexpected exception occurred trying to authenticate to the agent on MyServerName. The error is java.lang.reflect.UndeclaredThrowableException." Clicking Ok on the error prompt puts me back on the login prompt.
With 220.127.116.11, I was able to get the past authentication but I was having issues seeing the CA certs or able to import my PKCS12 cert combo which uses a wild card cert. Hence I thought of upgrading the ODSEE code base.
Everything else seems to be working fine. I have about 3-4 instances each on 2 of these 18.104.22.168 servers and they seem to be replicating and authenticating fine. Even SSL works from the LDAPS clients but get SSL warnings bcoz of the default self-signed certs. And hence the need for importing our enterprise certs in the cert repo.
I have tried re-registering Agents, delete and recreate them with simpler passwords (no special characters), etc., and even create them and running them using the local server Administrator account. No luck. The entire upgrade process went w/o a hitch. ADS (DSCC Registry) instance, Agent and Directory Services all start up fine. No issues.
The slapd error logs or the Tomcat logs do not have relevant information.
If anyone has a working SSL configuration with CA signed certs:
Q: What is the Tomcat version you are running on ?
Q: What is the Java version if it matters ? As I understand, ODSEE 22.214.171.124 includes its own JRE 1.7x. But Tomcat 6 and JDK version it is running may matter as it seems it is a DSCC console bug.
If DSCC is asking for a userID/pwd, I think that your server is not registered with the newly created agents. You can check by running dsccreg list-servers --agent and check "flags: column. If value is v6 or n2, you must register your server again with the new agent:
dsccreg remove-server / dsccreg add-server
From DSCC itself, go to Directory Server instance -> Server Operation -> Main tab. Check value of DSCC agent.
Thank you Frank and Carole for your response. The stated issue/error is resolved. It had to do with the upgrade somehow which lead to multiple certs for the same agent. Anyway, I had to delete ADS and all attached Agents, re-create ADS, re-create all Agents and re-register with the new ADS. I then manually re-registered the Directory Server instances on both the Primary and Secondary Servers with the new ADS. Voila, the DSCC Web console no longer prompts for server credentials.
But importing the Wild card cert issue still remains. I added the issuing CA chain to the ldap instance CA store and I see the certs listed. But when I try to import the P12 cert/key combo, I get an error which says something like: "The certificate is already in the database". But it is not, verified using certutil.
Yes internal CA or Self-signed Certs are fine. If I add the internal CA and Root CA to the cert store on my LDAP clients, then I am fine. No SSL errors. But want to avoid using such as we do have quite a few clients which would be connecting to the store. Hence want to use our enterprise wild card Cert. I am not sure if it is an issue importing a wild card pkcs12 format.
As mentioned above I did add the CA chain (which issued the wild card) to the actual instance, not the ADS. I can try that. But are you sure we need to add the Root CA to Tomcat ks.
And while we are at it, the Self-signed certs generated using the Console is only valid for 2 years. Is it possible to change the term ?