Layer7 Access Management

Expand all | Collapse all

Newly built12.7 policy-server/wamui, couldn't not contact user directory

Jump to Best Answer
  • 1.  Newly built12.7 policy-server/wamui, couldn't not contact user directory

    Posted 01-11-2018 11:27 AM

    Hi,

    We have built new policy-server 12.7. This policy-server is imported with 12.0 policy-store data. Admin-ui is installed on a separate server and registered with this policy-server where the old store data can be seen.

     

    However when I click on "View user directory", I see Error: [general]: couldn't contact user directory.

    Is there any setting in the registry or any configuration setting I am missing that needs to be done ? Please suggest.

     

    Thanks.



  • 2.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory

    Posted 01-11-2018 11:34 AM

    Hi Psoni2,

     

    Edit user directory  and re enter the administrator credentials and see how it works.

     

    Thanks,

    Shankar



  • 3.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory

    Posted 01-11-2018 11:35 AM

    Hi,

     

    Were you able to connect to the User Directory externally ( like Jxplorer) ?

     

    Regards,

    Leo Joseph.



  • 4.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory

    Posted 01-11-2018 11:37 AM

    The reason is you have specified a different ENCRYPTION KEY in R12.7. As Shankar mentioned retype the password and the password will be stored in policy store (encrypted using R12.7 ENCRYPTION KEY).



  • 5.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory

    Posted 01-11-2018 11:55 AM

    I am seeing this error in the smps.logs:

    [1952/140681116907264][Wed Jan 10 2018 11:28:49][SmDsLdapConnMgr.cpp:729][ERROR][sm-Ldap-01320] (SmDsLdapConnMgr(Bind): SSL client init failed in LDAP Initialization). Server svsw0005.statestr.com : 2636, Cert DB:



  • 6.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory



  • 7.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory

    Posted 01-11-2018 04:26 PM

    Hi Dennis,

    I was using wrong options to convert into cert8.db. Now using below it converted it into cert8.db.
    certutil -N -d certificate_database_directory

     

    I configured smconsole to use this file. Using admin-ui, I am able to see the directories now.

    I am trying to figure out creating administrators now.

    In FSS ui, in old 12.0 store, there are bunch of administrators. These administrators don't show up in new admin-ui. XPSImport should have taken care of it or since they are admins, they don't get created?

    These admins got created using "external Directory" option in fss ui by giving user directory and authentication scheme option.

    what is the equivalent way of doing this in admin ui? should I use "create legacy administrator" option. I used that option and created the administrator. I can find this user in the dir. once this user is created, I wanted to use this admin user to login to admin-ui. No luck doing so. I am using siteminder account so far to login admin-ui.

    How should I create administrators in the admin ui so I can use them to login to admin ui instead of using siteminder account.



  • 8.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory

    Posted 01-11-2018 04:28 PM

    Please open a new thread for new question. 



  • 9.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory

    Posted 01-11-2018 04:35 PM

    I believe using "certutil -N -d certificate_database_directory" command just created teh certdb and you added the ldap ssl certs explictilty to it using "certutil -A"  switch ?



  • 10.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory

    Posted 01-11-2018 04:43 PM

    Hi Ujwol,

     

    No, I didn't add ldap ssl certs explicitly using certutil -A. I took the cert7.db file from the existing 12.0 server and just converted it using the command

    certutil -N -d certificate_database_directory

     

    Is there any way I could verify if cert8.db file generated is correct?

    Are there any more steps to it that I didn't do?

     

    Thanks.



  • 11.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory

    Posted 01-11-2018 04:48 PM

    Doesn't looks right. "-N' switch just creates cert8 db. It won't add your ldap certs automatically into it.

    To verify the certs present in the certdb you can run :

     

    certutil -L -d certificate_database_directory

     

    • -L
      Lists all of the certificates in the certificate database.
    • -d certificate_database_directory
      Specifies the path to the directory that contains the certificate database.

     

    Configure an LDAP User Directory Connection over SSL - CA Single Sign-On - 12.7 - CA Technologies Documentation 



  • 12.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory

    Posted 01-11-2018 04:52 PM

    That is correct Ujwol

     

    psoni2

     

    You have two options.

     

    Option-A : Create a new Cert8.db and manually import the certs.

    https://docops.ca.com/ca-single-sign-on/12-7/en/configuring/policy-server-configuration/user-directories/configure-an-ldap-user-directory-connection-over-ssl

     

     

    Option-B : Which Makesh already suggested. Here is the link for that. This will convert.

    https://docops.ca.com/ca-single-sign-on/12-7/en/release-notes/installation-and-upgrade-considerations/policy-server-installation-and-upgrade-considerations#PolicyServerInstallationandUpgradeConsiderations-RequirementsforExistingLDAPUserDirectoryConnectionsOverSSL

     

     

     

    Can you please mark Makesh's answer as correct and unmark my answer. The issue was to do with SSL.



  • 13.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory

    Posted 01-11-2018 04:56 PM

    But wondering how it is working by just creating new cert db  

     

    PS : I already Marked Makesh's answer as correct.



  • 14.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory

    Posted 01-11-2018 05:12 PM

    I think because I copied cert7.db file from old 12.0 server and just converted into cert8.db.



  • 15.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory

    Posted 01-11-2018 11:59 AM

    Have you converted cert7.db to cert8.db file format and pointed them via SmConsole ?



  • 16.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory

    Posted 01-11-2018 12:00 PM

    This shows a Cert error, have you converted your cert.db ?



  • 17.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory
    Best Answer

    Posted 01-11-2018 12:02 PM

    To convert the certificate database file

    1. From a command prompt, navigate to the Policy Server installation bin directory.
      Example: 

      C:\Program Files\CA\siteminder\bin
      Note: Windows has a native certutil utility. Verify that you are working from the Policy Server bin directory, or you can inadvertently run the Windows certutil utility.
    2. Enter the following command:

      certutil -L -d certificate_database_directory [-p prefix_name] -X

       

      • -d certificate_database_directory
        Specifies the directory that contains the certificate database files to convert.
      • -p prefix_name
        (Optional) Specifies any prefix that is used when creating the existing cert7.db file (for example, my_cert7.db).

      The certutil tool converts the existing cert7.db file to cert8.db format.

      Note: The directory specified by certificate_database_directory must already exist. If the file path contains spaces, bracket the path in quotes.



  • 18.  Re: Newly built12.7 policy-server/wamui, couldn't not contact user directory

    Posted 01-11-2018 04:29 PM

    This is not right. The "-L" switch is used just to list the certificates from the certdb. 

     

    Update : Sorry , this is correct command. Didn't notice the "-X" switch at the end.