D.6 Troubleshooting Certificate Server Installation

File Data Conflict During Installation

If you receive a message indicating that a newer file exists from the previous installation, you should select to always overwrite the newer file.

Incomplete List of Servers

The list of servers shown during the installation might not list servers that are configured to use only IP. You can install NetIQ Certificate Server on a server whose name is not listed by typing the name of the server in the text box.

Failures During Installation

If the installation fails during the creation of the Organizational CA or the server certificate, or during the exportation of the trusted root certificate, the installation doesn't need to be repeated. The software has been successfully installed at this point. You can use iManager to create an Organizational CA and server certificates and export the trusted root.

PKI Plug-In Encounters Error When Installed on iManager 2.7.6 Patch1 and Lower Versions

To work around this issue, create a libntls.so.8 symbolic link pointing to libntls.so as follows:

ln -sf /var/opt/novell/iManager/nps/WEB-INF/bin/linux/libntls.so

IP Auto Generated Certificate Is Not Created on SLES 11 64-Bit Platform

Consider a scenario where eDirectory 9.0 has both IPv4 and IPv6 configured and only one of the them (for example, IPv4) has an entry in the /etc/hosts file, and the other interface is accessible from a remote machine. If you configure eDirectory to listen on both the IPs, the IP AG certificate is generated only for the IP that is listed in the /etc/hosts file. In this example, it is generated for IPv4.

IP Auto Generated IPv6 Certificate is Not Created When the Length of the Certificate Object RDN Exceeds the Maximum Limit

While installing eDirectory 9.0, which is listening on both IP v4 and IPv6 addresses, IP AG <IPv6> certificate (KMO) is not created.

This occurs when the length of the RDN of the certificate object exceeds the maximum limit of 64 characters. To handle this, a compressed format of IPv6 address is used so that even if the length exceeds the maximum limit, the address is split to accommodate the request. The address is split from the third colon (from the reverse order) in the address.

For example, if the IPv6 address is 2508:f0g0:1003:0061:0000:0000:0000:0002, then the truncated address is 0000:0000:0002. This ensures that the host is identifiable even after the address is truncated.

HTTP Server Associates With the IP AG Certificate When the Default Server Certificates are Recreated for a Server where CA is not Hosted

Use iManager to manually change the default association.

Log in to iManager > Modify > Select the http server object > Select the httpKeyMaterialObject attribute, then change the HTTP server object association to SSL CertificateDNS.