After upgrading Access Manager from a version earlier than 4.0 Service Pack 1, if you have configured Identity Server to point to the Load Balancer virtual IP address than the real IP addresses of the LDAP replica servers, Identity Server’s request to different LDAP server replicas fails.
Identity Server health becomes yellow from green and displays the following warning:
Ensure that the following replicas are operating correctly XXXX
After validating the LDAP server replica, the following message is displayed:
Server certificate change is restricted during renegotiation
This happens because Access Manager uses JDK version 7u71 or later from the version 4.0 Service Pack 1 onwards. In JDK 7u71, unsafe server certificate change in SSL/TLS renegotiations is not allowed by default.
To workaround this issue, perform any one of the following actions:
Add the following line in the /opt/novell/nam/idp/conf/tomcat.conf file:
JAVA_OPTS="${JAVA_OPTS} -Djdk.tls.allowUnsafeServerCertChange=true"
Instead of specifying the load balancer virtual IP address as the LDAP replica server, ensure that Identity Server refers to each LDAP server directly and not through the load balancer. In this way, Identity Server maintains all communications with the LDAP servers directly, maintains states and connection information.
Create a wildcard certificate and assign this server certificate to all the LDAP servers in the replica ring.