One of our client environments had OAM setup since couple of years and we saw the below error all of a sudden and all the authentication/authorization requests of a specific access gate has stopped working.
2012/09/17@19:11:15.602601 16038 1000059 CONNECTIVITY DEBUG3 0×00000201 /export/t3array/build6/Oblix/coreidport/palantir/netlib/src/obmessagechannel.cpp:601 ”Received NMP STS negotiation “ _seqno^0 _opcode^0 _opcodeStr^ServerDiagnosticEvent Message^sts=cert
2012/09/17@19:11:15.992267 16038 68 CONN_MGMT ERROR 0x00001C08 /export/t3array/build6/Oblix/coreidport/palantir/aaa_client/src/watcher_thread.cpp:84 ”NAP initialization failed”
2012/09/17@19:11:15.992220 16038 1000059 CONNECTIVITY DEBUG3 0×00000201 /export/t3array/build6/Oblix/coreidport/palantir/netlib/src/obmessagechannel.cpp:480 ”handleSTSmessage returns false” _seqno^0 _opcode^0 Message^sts=cert
2012/09/17@19:11:15.998052 16038 79 CONN_MGMT DEBUG3 0×00000201 /export/t3array/build6/Oblix/coreidport/palantir/aaa_client/src/aaa_service_client.cpp:989 ”Connection checked out” return^NULL
2012/09/17@19:11:15.998133 16038 79 CONN_MGMT DEBUG3 0×00000201 /export/t3array/build6/Oblix/coreidport/palantir/aaa_client/src/aaa_service_client.cpp:2449 ”Connections exhausted”
2012/09/17@19:11:15.998223 16038 79 CONFIG DEBUG2 0×00000201 /export/t3array/build6/Oblix/coreidport/palantir/access_api/src/obconfig.cpp:864 ”Client configuration not updated”
2012/09/17@19:11:15.998253 16038 79 CONFIG INFO 0x0000182C /export/t3array/build6/Oblix/coreidport/palantir/access_api/src/obconfig.cpp:865 ”ObAccessException_ENGINE_DOWN” raw_code^301
Of this exception block, ObAccessException_ENGINE_DOWN gives a clue that certificate is expired.
Simple check for finding certificate expiry is to convert pem format to der format and open the der certificate in windows and one can easily make out its validity.
- Create a new certificate request using openssl tool located at Access SDK install ./openssl req -config openssl.cnf -newkey rsa:1024 -keyout aaa_key.pem -out aaa_req.pem.
- Get the certificate request aaa_req.pem signed by 3rd party CA.
- Rename the signed certificate as say aaa_cert.pem.
- Verify if the chain certificate is valid or not. If it is also expired, get it signed. It is expired in my case and hence I name it here as aaa_chain.pem.
- The 3 certificate files that needs to be replaced in Access Gate are aaa_cert.pem, aaa_key.pem and aaa_chain.pem (remains unchanged in my case). Place these files at $ACCESS_SDK/oblix/config
- Note that password.xml is required in OAM 10g version only if security mode is Simple. This xml contains hashed value of certificate passphrase. This file is not required in my case since it is Cert security mode and OAM 10g. However password.xml is required for both Cert/Simple in OAM 11g.
After placing the certificate as mentioned in 5th step, verify that webgate is working fine.