Certificate related problems after promoting a secondary admin console to be the new primary admin console server

  • 7023786
  • 21-Mar-2019
  • 21-Mar-2019

Environment

Access Manager 4.4.1
Access Manager 4.4.2
Access Manager 4.4.3
Access Manager 4.4.4

Situation

After promoted a secondary admin console server to be the new primary admin console server the below was observed:

Both the ambkup script when run and authentication when trying to install a new IDP is failing with below exception:
install log main for a new IDP:
javax.naming.CommunicationException: 192.168.178.87:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.178.87 found]
 
ambkup.sh script gives below similar exception:
- - - - - - - - - - - - - - -  - - - - - - - - - - - - - - - -
javax.naming.CommunicationException: 192.168.178.87:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.178.87 found]

When you check the SSL CertificateDNS certificate on the newly promoted primary admin console server you see it still reflects the IP  address and DNS name of the old primary admin console server and there is no  alternate subject name for the newly promoted primary admin console server.

When a secondary admin console server is promoted to be the new primary admin console server some extra steps are needed as an add-on to the documented procedure described in section  "Converting a Secondary Administration Console into a Primary Console"

Resolution

Reported to engineering

As a workaround on the new primary admin console server disabled the CRL checking and recreated the default certificates in the described way of below TID:
https://support.microfocus.com/kb/doc.php?id=7022461
 
As a last step replaced the admin console server certificate since it has a CRL distribution point with a reference to the old primary admin console server.
Access Manager Admin Console Dashboard
Security -> certificates
admin-console certificate -> devices -> administrator console keystore
select the certificate and click replace
add the subject name same as it is currently, for example O=novell, OU=accessManager, CN=primaryac
Replace the certificate
Restart admin console service, /etc/init.d/novell-ac restart