New Access Manager Console with a restored backup reports NICI error -1418 while creating default certificates

  • 7024301
  • 29-Nov-2019
  • 02-Dec-2019

Environment

  • Access Manager 4.5
  • Access Manager 4.5.1

Situation

  • fresh installed Primary Access Manager Console server on Linux
  • backup has been restored without any returned error message running the "/opt/opt(devman/bin/amrestore.sh" script
  • restored Access Manager Console is up and running without any further problems
  • using ether "ndsconfig upgrade -j " or using the iManager Certificate Server snapin to recreate default certificate ends up with a "-1418" while trying to create EC Certificates

Resolution

  • This issue has bee reported to engineering

  • Use iManager to access your CA


  • review the Certificate Server object name (usually Treename CA)  and take a note

  • export your "Self Signed Certificate RSA" by using iManager into PKCS'12
  • rename the exported "cert.pfx" to "cacert-rsa.pfx"
  • delete the CA Object object
  • create a new CA using default settings and the CA object name as used before
  • export only the new "Self Signed Certificate ECDSA" by using iManager into a PKCS#12
  • rename the exported "cert.pfx" to "cacert-ecdsa.pfx"
  • delete the newly created Certificate Authority Object again
  • create again a new CA using the import feature and select the exported PKCS'12 files to restore the RSA and ECC CA

  • re-assign the Certificate Revocation list container objects for the RSA / ECDSA CA. Use the iManager Directory Administration => Modify Object Task as below



  • use the "Other" tab to open configured attributes on the CA object


  • make sure the following attribute are configured
    • "ndspkiCRLContainerDN" =  "CRL Container.Security".
    • "ndspkiCRLECConfigurationDNList" =  "One - Configuration EC.CRL Container.Security
    • "ndspkiCRLConfigurationDNList" = "One - Configuration.CRL Container.Security"

  • Review the CA CRL configuration. The result from the above stps should look like




  • Note: The default Certificate revocation list entries reference the IP address of the primary AC. This created a single piont of failure. Another issue is that using the IP address instead of a DNS host name requires that this IP address will always be available. Using CRLs with NAM as an internal CA service should not be required. Each and every certificate validation process by any service would require to download and validate the CRL. If there is not access to the CRL all services will fail to validate the a certificate issued by the internal CA. We strongly recommend to "delete" disable using CRLs. 



  • The result is a new CA Object which is still using the original RSA CA and in addition the new created ECDSA CA allowing you to create all default certificates

Cause

  • The "ambkup.sh" / "amrestore.sh" do not cover the ECDSA Certificate Authority.
    This issue has been addressed to engineering

  • restoring a backup on a fresh installed Access Manager Console will restore the RSA Certificate Authority but leave the ECDSA Certificate Authority from the initial installation untouched.

  • The machine unique key ( nicisdi.key ) allows access to private keys owned by the host server. The restore script will restore cover restoring the key ending up that the Admin Console Server can access the private key of the RSA CA but not of the ECDSA CA returning the NICI -1418 error

  • deleting the ECDSA CA only ( leaving the RSA CA untouched ) in order to re-create it is not possible with the current version of the iManager Certificate Server plugin.

Additional Information

  • PKCS#12
    • Envelope which includes the public / private key protected by a password
    • exporting the CA to a PKCS#12 can be used to create a backup of a given CA

  • CA = Certificate Authority
    • creating x509 Certificates (server / user) with RSA and ECDSA keys requires separate  CAs

  • ECC = Elliptic Curve
    • asymmetric keys public / private like ECDSA
    • The "Self Signed Certificate ECDSA" is an Elliptic Curve CA

  • AC = Access Manager Console

  • Note:
    With NAM 4.4.x, 4.5, 4.5.1 ECDSA Certificates do currently not work and cannot be used with any kind of service like OAuth, SAML, Libery.