Identity Manager Engine Container fails with Failed to configure SAS service: unknown error -1266

Hi all,

Trying to play with IDM 4.9 and containers and failed on my first attempt to setup the identity manager engine. I am running Docker 27.3.1 on Red Hat 9.2.

Below is the idmconfigure.log file.

tail -f /data/idm/log/idmconfigure.log
2024-11-21 10:40:01+00:00 : IDM 4.9
IDM 4.9
%%% Received command line parameters : -s -ssc -slc -f /config/silent.properties
Verifying installed components...
###############################################################
Identity Manager Configuration
Thu Nov 21 10:40:01 UTC 2024
###############################################################

Refer log for more information at /var/opt/netiq/idm/log/idmconfigure.log
###############################################################
Configuring : Identity Manager Engine
Thu Nov 21 10:40:03 UTC 2024
###############################################################

%%% Received command line parameters : -s -f /config/silent.properties -log /var/opt/netiq/idm/log/idmconfigure.log -wci -typical -comp ENGINE -wci
Verifying installed components...
Silent mode detected... skipping config_mode.
Configuring silent mode using silent property file: /config/silent.properties
%%% Received command line parameters : -s -f /config/silent.properties -log /var/opt/netiq/idm/log/idmconfigure.log -wci -typical -comp ENGINE -wci
Verifying installed components...
Silent mode detected... skipping config_mode.
Configuring silent mode using silent property file: /config/silent.properties
Silent mode detected... skipping config_mode.

/etc/opt/netiq/idm/conf/idmconf.properties is not available.
Configuring Identity Store

Configuring the NDAP interfaces... Done
Configuring the HTTP interfaces... Done
Configuring the LDAP interfaces... Done

Configuring NetIQ eDirectory server with the following parameters, Please wait...
  Tree Name             : dockertree
  Server DN             : idv.servers.system
  Admin DN              : admin.sa.system
  NCP Interface(s)      : 192.168.40.132@524
  HTTP Interface(s)     : 192.168.40.132@8028
  HTTPS Interface(s)    : 192.168.40.132@8030
  LDAP TCP Port         : 389
  LDAP TLS Port         : 636
  LDAP TLS Required     : Yes
  Duplicate Tree Lookup : Yes

  Configuration File    : /etc/opt/novell/eDirectory/conf/nds.conf
  Instance Location     : /var/opt/novell/eDirectory/data
  DIB Location          : /var/opt/novell/eDirectory/data/dib

Starting the service 'ndsd'... Done.

Checking if server is ready to service requests... Done

Restarting the server instance as EBA was enabled.
Stopping the service 'ndsd'... Done.
Starting the service 'ndsd'... Done.

Searching for Duplicate Tree Name in the network. Please wait...
Configuring EBA... Done
Basic configuration is successful. Proceeding with additional configuration...

Extending schema... Done
For more details view schema extension logfile: /var/opt/novell/eDirectory/log/schema.log

Configuring HTTP service... Done
Configuring LDAP service... Done
Configuring SNMP service... Done
Configuring SAS service... Failed to configure SAS service: unknown error -1266 (fffffb0e hex) err=-1266
An error has occured while configuring the NetIQ eDirectory Server. Please look /var/opt/novell/eDirectory/log/ndsd.log file for more information.
The instance at /etc/opt/novell/eDirectory/conf/nds.conf is successfully configured.

ERROR: /opt/novell/eDirectory/bin/ndsconfig return value = 74.
Check /var/opt/netiq/idm/log/idmconfigure.log file for more information.
Identity Vault configuration failed with the exit code 74
###############################################################
Aborted configuration of : Identity Manager Engine
Thu Nov 21 10:41:15 UTC 2024
###############################################################


Exiting due to the failure in configuration of Identity Manager Engine.

How do I access these files (sorry new to docker):

In /var/opt/novell/eDirectory/log/ndsd.log I see a bit more, but still no idea what the cause is:

Nov 21 10:40:32  Successfully started NetIQ PKI Services
Nov 21 10:40:32  SecurityInstall: Calling pkiInstallSetIdentity . . .
Nov 21 10:40:32  SecurityInstall: Returned from pkiInstallSetIdentity.
Nov 21 10:40:32  SecurityInstall: Calling pkiInstallSetRSAKeySize(4096) . . .
Nov 21 10:40:32  SecurityInstall: Calling pkiInstallSetECCurve(P384) . .  .
Nov 21 10:40:32  SecurityInstall: Calling pkiInstallSetCertLife(10) .  .  .
Nov 21 10:40:32  SecurityInstall: Calling pkiInstallsetCRLfile . . .
Nov 21 10:40:32  SecurityInstall: Returned from pkiInstallsetCRLfile.
Nov 21 10:40:32  SecurityInstall: Calling pkiInstallsetCRLfile . . .
Nov 21 10:40:32  SecurityInstall: Returned from pkiInstallsetCRLfile.
Nov 21 10:40:32  SecurityInstall: Calling pkiInstallSetIPAddress . . .
Nov 21 10:40:32  SecurityInstall: Returned from pkiInstallSetIPAddress.
Nov 21 10:40:32  SecurityInstall: Calling pkiInstallSetPorts . . .
Nov 21 10:40:32  ldaptcpport [389]
Nov 21 10:40:32  ldapsslport [636]
Nov 21 10:40:32  http_port [8028]
Nov 21 10:40:32  https_port [8030]
Nov 21 10:40:32  SecurityInstall: Returned from pkiInstallSetPorts.
Nov 21 10:40:33  SecurityInstall: Error from pkiInstallCreatePKIObjects (ccode = -1266; retval = -4).
Nov 21 10:40:33  An error occurred while configuring product SAS. Error description unknown error -1266 (fffffb0e hex).-1266
Nov 21 10:40:33  NDSIInstallDSProduct: Returning -1266.
Nov 21 10:40:33  DHModuleInit_dsi: Returning -1266.
Nov 21 10:40:33  Module dsi is not loaded
Nov 21 10:40:33 About to stop NetIQ eDirectory server on host:  localhost.localdomain

The silent file looks like this:

###
# Indicates whether you want to configure the silent properties file for Docker containers.
###
DOCKER_CONTAINER="y"

###
# Azure Cloud
###
AZURE_CLOUD="n"

###
# Indicates whether the existing Identity Manager components need to be upgraded.
###
UPGRADE_IDM="n"

###
# Indicates whether we need to prompt eDir API prompts
###
EDIRAPI_PROMPT_NEEDED="n"

###
# Indicates if Advanced Edition was selected
###
IS_ADVANCED_EDITION="true"

###
# Indicates if user wants to set a common password.
###
IS_COMMON_PASSWORD="y"

###
# Common Password
###
COMMON_PASSWORD="secret"

###
# Indicates Identity Manager engine to be installed.
###
INSTALL_ENGINE="true"

###
# Indicates Identity Vault to be installed.
###
INSTALL_IDVAULT="true"

###
# NDS var folder location
###
ID_VAULT_VARDIR="/var/opt/novell/eDirectory"

###
# NDS data location
###
ID_VAULT_DIB="/var/opt/novell/eDirectory/data/dib"

###
# NDS configuration file with path
###
ID_VAULT_CONF="/etc/opt/novell/eDirectory/conf/nds.conf"

###
# Identity Vault host address
###
ID_VAULT_HOST="192.168.40.132"

###
# Indicates whether it is for a new tree or an existing tree.
###
TREE_CONFIG="newtree"

###
# Identity Vault Administrator password
###
ID_VAULT_PASSWORD="secret"

###
# Server Context
###
ID_VAULT_SERVER_CONTEXT="servers.system"

###
# ID Vault Tree name
###
ID_VAULT_TREENAME="dockertree"

###
# ID Vault Server name
###
ID_VAULT_SERVERNAME="idv"

###
# Identity Vault Administrator in cn format ex: cn=admin,ou=sa,o=system
###
ID_VAULT_ADMIN_LDAP="cn=admin,ou=sa,o=system"

###
# ID Vault Administrator ex: admin.sa.system
###
ID_VAULT_ADMIN="admin.sa.system"

###
# RSA key size
###
ID_VAULT_RSA_KEYSIZE="4096"

###
# EC curve
###
ID_VAULT_EC_CURVE="P384"

###
# Certificate lifetime
###
ID_VAULT_CA_LIFE="10"

###
# NCP port
###
ID_VAULT_NCP_PORT="524"

###
# LDAP non SSL port
###
ID_VAULT_LDAP_PORT="389"

###
# LDAP SSL port
###
ID_VAULT_LDAPS_PORT="636"

###
# Identity Vault HTTP port
###
ID_VAULT_HTTP_PORT="8028"

###
# Identity Vault HTTPS port
###
ID_VAULT_HTTPS_PORT="8030"

###
# Identity Vault driver set name. Ex: driverset1
###
ID_VAULT_DRIVER_SET="driverset1"

###
# Identity Vault driver set deploy context. Ex: o=system
###
ID_VAULT_DEPLOY_CTX="o=system"

I loaded with: docker load --input IDM_490_identityengine.tar.gz

and started with: docker run --restart unless-stopped -d --network=host --name=engine-container -v /data:/config -e SILENT_INSTALL_FILE=/config/silent.properties --stop-timeout 100 identityengine:idm-4.9.0-580

These are copy paste from the documentation. https://www.netiq.com/documentation/identity-manager-49/setup_linux/data/t4bk3ao21qbm.html

After punching holes to the host firewall, I can connect to eDirectory as anonomous, but no LDAPS connections work for obvious reasons. And I cannot authenticate because it requires confidentiality aka TLS. So things are half baked, and I like it well done Slight smile

Any ideas would be great!

Thank you!

Best regards

Marcus