3 Replies Latest reply on Jan 3, 2014 9:05 PM by Jigs

    Need help with error on ODSEE Security Tab - exception occured when trying to authenticate to the agent


      Need help with error on ODSEE trying to setup SSL/Certs



      Hello, I am hoping that somebody has run into this issue which has becoming very frustrating to resolve. Prior to the above version was on which had its own set of bugs/issues/complexity but was able to resolve most except for the current issue. Decided to upgrade to and pleasantly surprised not needing CACAO anymore but unfortunately the following issue still remains.



      Env: Windows 2008 R2, ODSEE, Tomcat 6



      Issue Area: Directory Server Instance --> Security Tab --> General Sub tab:  Here I see an Warning: "An authentication is required to connect to MySeverName. Click here to enter UserId and Password".



      When I click, prompts me for Server Id/pwd with Admin privileges which I provide (including .\administrator account) but all of them fail with the pop-up error message: "An unexpected exception occurred trying to authenticate to the agent on MyServerName. The error is java.lang.reflect.UndeclaredThrowableException." Clicking Ok on the error prompt puts me back on the login prompt.



      With, I was able to get the past authentication but I was having issues seeing the CA certs or able to import my PKCS12 cert combo which uses a wild card cert. Hence I thought of upgrading the ODSEE code base.



      Everything else seems to be working fine. I have about 3-4 instances each on 2 of these servers and they seem to be replicating and authenticating fine. Even SSL works from the LDAPS clients but get SSL warnings bcoz of the default self-signed certs. And hence the need for importing our enterprise certs in the cert repo.



      I have tried re-registering Agents, delete and recreate them with simpler passwords (no special characters), etc., and even create them and running them using the local server Administrator account. No luck. The entire upgrade process went w/o a hitch. ADS (DSCC Registry) instance, Agent and Directory Services all start up fine. No issues.



      The slapd error logs or the Tomcat logs do not have relevant information.


      If anyone has a working SSL configuration with CA signed certs:


      Q: What is the Tomcat version you are running on ?


      Q: What is the Java version if it matters ? As I understand, ODSEE includes its own JRE 1.7x. But Tomcat 6 and JDK version it is running may matter as it seems it is a DSCC console bug.



      Thank you.



        • 1. Re: Need help with error on ODSEE Security Tab - exception occured when trying to authenticate to the agent

          I am using an internal CA for certs, and using SSL.   Did you add your CA's root cert to the LDAP ads instance for the DSCC?  And did you add it to the keystore of Tomcat?

          • 2. Re: Need help with error on ODSEE Security Tab - exception occured when trying to authenticate to the agent



            If DSCC is asking for a userID/pwd, I think that your server is not registered with the newly created agents. You can check by running dsccreg list-servers --agent and check "flags: column. If value is v6 or n2, you must register your server again with the new agent:

               dsccreg remove-server / dsccreg add-server


            From DSCC itself, go to Directory Server instance -> Server Operation -> Main tab. Check value of DSCC agent.




            • 3. Re: Need help with error on ODSEE Security Tab - exception occured when trying to authenticate to the agent

              Thank you Frank and Carole for your response. The stated issue/error is resolved. It had to do with the upgrade somehow which lead to multiple certs for the same agent. Anyway, I had to delete ADS and all attached Agents,  re-create ADS, re-create all Agents and re-register with the new ADS. I then manually re-registered the Directory Server instances on both the Primary and Secondary Servers with the new ADS. Voila, the DSCC Web console no longer prompts for server credentials.

              But importing the Wild card cert issue still remains. I added the issuing CA chain to the ldap instance CA store and I see the certs listed. But when I try to import the P12 cert/key combo, I get an error which says something like: "The certificate is already in the database". But it is not, verified using certutil.


              Yes internal CA or Self-signed Certs are fine. If I add the internal CA and Root CA to the cert store on my LDAP clients, then I am fine. No SSL errors. But want to avoid using such as we do have quite a few clients which would be connecting to the store. Hence want to use our  enterprise wild card Cert. I am not sure if it is an issue importing a wild card pkcs12 format.


              As mentioned above I did add the CA chain (which issued the wild card) to the actual instance, not the ADS. I can try that. But are you sure we need to add the Root CA to Tomcat ks.


              And while we are at it, the Self-signed certs generated using the Console is only valid for 2 years. Is it possible to change the term ?


              Thanks again.