Third party SSL Certificate with Virtual Office

Recently upgraded Netware 6.5 SP2 to OES with SP3. Got Virtual Office up and running without a problem using a self-signed certificate. Configured apache to use a third-party signed certificate in NDS and all started up again without a problem. However, NetStorage and the eGuide Quick Start gadget both report errors in VO:

NetStorage getData:IOException
URL = https://<servername>:443/oneNet/xtier-login

Error: Authentication failed: improper configuration. Please contact your adminstrator.

From reading through the Novell forums, I think I need to import the certificate into the Tomcat4 keystore but I am struggling with the 'keytool.nlm' syntax. Can anyone help with this, if indeed you think this is the root of the problem? Apart from that, VO is spot-on, just what we need so I'm dying to get it finished and rolled-out.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I think you mean "keytool.exe?"

Have you checked out this TID?:

I know it's written for NW6SP3, but the keytool.exe syntax should still be good.

So you've created a KMO in eDirectory for your trusted certificate, and that's what you're using in Apache.conf instead of the default?  

I see you noted "URL = https://<servername>:443/oneNet/xtier-login."  Isn't it redundant putting the 443 port along with an https URL? Usually, "https://" implies port 443...  Just a thought...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
seizuresAuthor Commented:
There is an NLM version of keytool which I'd tried with the syntax of that TID but that complained about a 'wrong type of object' at the console. Just tried the windows executable and that imported the cert successfully - restarted the server but I still get the same errors for both components.

I actually had VO working with this certificate prior to the upgrade to OES, but had to kill VO and re-install at some point, so I know the KMO is good. I have only modified the securelisten line in apaches httpd.conf to use the name of the new KMO instead of the default "SSL CertificateDNS" .

The NetStorage URL that specifies the port number as well as https is what VO is showing in the error line. Tried it directly in the browser and it appears to just drop the port. I know what you mean though...

Don't both of those products leverage LDAP?  Just wondering if you have that certificate specified for the associated LDAP server(s)/group(s)?
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

seizuresAuthor Commented:
Tried assigning the same certificate used for apache to the LDAP server but it won't now come up. Console reports:
tccheck: Tomcat found problems with your security certificate.
Please re-export sys:/Public/RootCert.der and then execute sys:/system/tckeygen.ncf

followed by:
LDAP connectivity not found on ldap://localhost:636
Please load NLDAP and then manually execute command: sys:/tomcat/4/bin/startup -config sys:/adminsrv/conf/admin_tomcat.xml
If your server host certificates have change recently, executing sys:/system/tckeygen.ncf may be needed to restore secure LDAP

Running tckeygen.ncf reports:
Exporting the Host certificate from:<external hostname>                      
Trying to import Certificate 0 subjectDN=CN=<external hostname>, ...        
Error importing certificate to keystore: sys:\adminsrv\conf\.keystore          

Maybe you need to delete and re-create the KMO for the 3rd party certificate?
Have you verified the cert?  Have you tried pkidiag? (make sure you get the latest one...)
seizuresAuthor Commented:
pkidiag (latest appears to be the one in SP3) reports no errors at all. The KMO is happily being used for access to Groupwise webaccess on the same box. Both the Trusted Root and Public Key certificates are unexpired and validate successfully in ConsoleOne.
"... but it won't now come up."

LDAP won't come up, or Apache won't?  Did you bounce NLDAP.NLM after changing the LDAP server's associated cert?

I think, once you get the secure LDAP issue squared away, you then should be able to use TCKEYGEN to import the cert to the tomcat keystore, and that should make it all work (in theory.)  From what I understand, all of the pieces - Apache, Tomcat, LDAP - have to be using a common SSL cert in order to make NetStorage happy - unless I'm reading it wrong.  I'm assuming that, since eGuide relies heavily on LDAP, that will magickally work as well.
Tomcat keeps it's own certificate database, well actually it's using java's (hence the keytool thing).
java -classpath sys:/adminsrv/lib/tcnwutils.jar;sys:/adminsrv/lib/ecbldap.jar; sys:/adminsrv/lib/ecbsecurity.jar;sys:/adminsrv/lib/jdom.jar;sys:/adminsrv/lib/ecb.jar com.novell.application.tomcat.util.EDirectoryIntegrator -keystoreWork=true -keystore=sys:\adminsrv\conf\.keystore -keystorealias=mykey -keystorePass=apache -servername=localhost -secure=true
So the application is com.novell.application.tomcat.util.EDirectoryIntegrator.  This'll pull the eDirectory certificate out of LDAPS & adds it to the keystore.
There's also tcedirint.ncf which sets tomcat to use it's JNDIRealm for security and authorisation.  It's too, will import the certificate to tomcat.
Additional sources of information on your server:
https://<server fqdn or Ip address>/tomcat/htmlmanager/html/list is the Tomcat Manager
https://<server fqdn or Ip address>/tomcat/admin/index.jsp is the Tomcat Server Administration
https://<server fqdn or Ip address>/tomcat-docs/index.html is the Tomcat Server Documentation

Good luck
seizuresAuthor Commented:
Thanks for the input. Tried the command line and the ncf file and both report:

Exporting the Host certificate from:localhost
Trying to import Certificate 0 subjectDN...
Trying to import Certificate 1 subjectDN...
Trying to import Certificate 2 subjectDN...
java: Class com.novell.application.tomcat.util.EDirectoryIntegrator exited successfully

The correct certificates are specified but once the server has been bounced, Apache complains that LDAP isn't available. If I configure LDAP and Apache to use the self-signed certificate, everything including NetStorage and eGuide work without problems.
Let me know if I have this straight.  You get the 3rd party cert imported OK to Java via Tomcat, you have Apache using the 3rd party cert, and LDAP using the 3rd party cert, NLDAP is up and functioning using the 3rd party cert (tested with an LDAP client using SSL and the 3rd party cert?) but when you the server gets downed/restarted Apache claims LDAP isn't available?  Have you verified that LDAP is available using secure LDAP and the 3rd party cert at that point?

It kinda sounds like Apache isn't accessing LDAP using secure LDAP with the 3rd party cert, to me.  Can you load Apache manually after the server is up?  In other words, have you verified it isn't a load-order issue?  Does use of the 3rd party cert require access to the trusted server to work? If so, could it be that communications back to the trusted server hasn't been established yet at the time LDAP and Apache are being loaded in autoexec?
seizuresAuthor Commented:
Ok. No errors on the import so I'm assuming Java accepted the cert. Apache is using the cert. The cert is assigned to LDAP which does load but only responds on the default non-secure port (tested with LDAP client). Apache reports:

   >00:34:28 00:34:28 Configured LDAP was found ready to use.                  
   >00:34:28 00:34:28 NIF CertHandler: Root certificate file for master ldap not found, requesting a new one from server.                                      
   >00:34:28 00:34:28 NIF CertHandler: # Root Certs=1.                          
   >00:34:28 00:34:28 NIF CertHandler: Retrieved certificate of size=1325.      
   >00:34:28 00:34:28 *MASTER[<FDQN>][-1] ldap_simple_bind : Can't contact LDAP server(81)                                                  
   >00:34:28 00:34:28 ldap *MASTER[<FQDN>] down              
   >00:34:28 00:34:28 LDAP initialization failed. Check LDAP and restart apache.

Traced LDAP activity on apache load which reports:

New TLS connection 0x55b05c40 from <serverIP>:1202, monitor = 0x229, index = 4                                                                              
Monitor 0x229 initiating TLS handshake on connection 0x55b05c40                
DoTLSHandshake on connection 0x55b05c40                                        
TLS accept failure 1 on connection 0x55b05c40, setting err = -5875. Error stack:                                                                                
        error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42                                                          
TLS handshake failed on connection 0x55b05c40, err = -5875                      
Server closing connection 0x55b05c40, socket error = -5875                      
Connection 0x55b05c40 closed                                                    

Now this cert was working with VO/NetStorage/eGuide immediately prior to the OES upgrade and it hasn't expired. Just had a thought, I think this is a chained-root cert so I'm wondering if I'm missing an intermediate cert somewhere in the loop...will check my notes...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Storage Software

From novice to tech pro — start learning today.