Netiq Desinger Autentication Error Import Vault

Hi Team.

We have IDM 4.8.7 and Designer 4.8.7.0100.

We lost connections (before we can connect and import or deploy objetcs) to Vault from Designer but we can connect to Vaul using Identity Console and the same credentials:

Host: IP:636

User: cn=admin,ou=sa,o=system

Pwd: *****

We checked port ustin "telnet IP Port" and exists connection

The services and port is up 

tcp   LISTEN 0      4096                 0.0.0.0:636        0.0.0.0:*  

The admin user and password is working because I can connect to Identity Console

How can I test usgin other user or view some log to review why can not connect from Designer?

It is the error message:

Thanks,

  • 0  

    Hi Cesar

    By chance, do you have a configured proxy with authentication for access to the internet (designer/package updates, etc)?

    I had a situation in which the Designer, with a configured proxy with authentication, redirected all traffic (including connectivity to the server) through the proxy.

    It can be related to this specific Designer (Eclipse) bug.

  • 0 in reply to   

    Hi Al_b.

    We don't have proxy, we don't need proxy to internet.

    We tried connect usgin Designer from other PC and the message is the same.

    The admin user need some privilege to connect to vault using Designer?

    Thanks,

  • 0   in reply to 

    I have several stupid questions:

    1. Can you connect to this server from an "external" LDAP browser? (Maybe from Apache Directory Studio installed on the same workstation, where you have your Designer). Try to connect to both ports 389 and 636.

    2. You mentioned, that you can connect from Identity Console. Where do you have your Identity Console installed? (I have suspicious that you have it installed on the same server)

    3. Do you have the firewall enabled on your server? Try to disable it (or add exclusion for ports 389, 636).

  • 0

    Hi,

    If I am understanding you correctly, the connection between Designer and IDVlaut (directory) was working before as expected.

    In this case, I am wondering what might have changed? Did you move the Designer workstation/host to another subnet? 

    If this is not the case, is there a chance the LDAP certificates became invalid or were replaced?

  • 0 in reply to   

    Hi Al_b:

    1. Yes, I can connect using Softera LDAP Administrator, and browse the tree without problem.

    2. Yes, Identity console is installed in the same server that eDirectory and IDM Engine

    3. No firewall enabled. and the telnet 389  and 636 work fine

  • 0 in reply to 

    Hi  

    Yes, the connection Desinger -> IDVAult was working good.

    We can Import and Deploy any object.

    We dont touch configurations about certificates (replace, regenerate, etc), in fact I delete the C:\netiq\idm\apps\Designer\configuration/LDAPServerCerts file from my Designer local installation to force to download the certificates again and show the message to "accept permanet", "Accept temporary" or "no accept" the certificate.

    After "Accept" the certificates show the authentication error.

    I can connect to IDVault using a external browser LDAP using admin user whitout problem.

    Thanks,

  • 0   in reply to 

    If you look at the SSL Cert that LDAP is offering, is there a subject alternate name extension that matches the DNS name you are trying to connect to?  Try the IP address instead of the DNS Name.

    Java in later versions, like Designer might be using, got picky about SAN's matching the URL for security.

  • 0 in reply to   

    Hi Geoffrey.

    How can I look the SSL cert?

    From Identity console or from web browser?

    Or exists some way from Desinger?

    Thanks,

  • 0 in reply to 

    I found its log in the workspace directory \.metadaa\.log

    !ENTRY com.novell.core 4 0 2024-12-10 13:54:36.914
    !MESSAGE The system can't authenticate you to the tree. Make sure the username, context, and password are correct, and then retry the operation. If it still doesn't work, contact your network administrator.
    !STACK 0
    com.novell.admin.common.exceptions.SimpleSPIException: The system can't authenticate you to the tree. Make sure the username, context, and password are correct, and then retry the operation. If it still doesn't work, contact your network administrator.
    	at com.novell.admin.common.exceptions.SimpleSPIException.newException(SimpleSPIException.java:85)
    	at com.novell.admin.ns.ldap.jndi.LDAPNamespaceImpl.authenticate(LDAPNamespaceImpl.java:440)
    	at com.novell.core.datatools.access.nds.DSAccess.ldapAuthenticationWithCertificate(DSAccess.java:442)
    	at com.novell.core.datatools.access.nds.DSAccess.authenticateToTreeLDAP(DSAccess.java:394)
    	at com.novell.core.datatools.access.nds.DSAccess.authenticateToTree(DSAccess.java:282)
    	at com.novell.core.datatools.access.nds.DSAccess.buildDSAccess(DSAccess.java:695)
    	at com.novell.designer.Designer.testCredentials(Unknown Source)
    	at com.novell.idm.config.internal.IdentityVaultPage.widgetSelected(IdentityVaultPage.java:796)
    	at org.eclipse.swt.widgets.TypedListener.handleEvent(TypedListener.java:248)
    	at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:84)
    	at org.eclipse.swt.widgets.Display.sendEvent(Display.java:4353)
    	at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1061)
    	at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:4172)
    	at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3761)
    	at org.eclipse.jface.window.Window.runEventLoop(Window.java:832)
    	at org.eclipse.jface.window.Window.open(Window.java:808)
    	at com.novell.designer.ui.dialogs.DesignerPropertyDialog.invokePropertyDialog(Unknown Source)
    	at com.novell.designer.Designer.launchConfigDialog(Unknown Source)
    	at com.novell.idm.config.internal.IDMPropertiesAction.run(IDMPropertiesAction.java:85)
    	at org.eclipse.ui.internal.PluginAction.runWithEvent(PluginAction.java:253)
    	at org.eclipse.jface.action.ActionContributionItem.handleWidgetSelection(ActionContributionItem.java:595)
    	at org.eclipse.jface.action.ActionContributionItem.access$2(ActionContributionItem.java:511)
    	at org.eclipse.jface.action.ActionContributionItem$5.handleEvent(ActionContributionItem.java:420)
    	at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:84)
    	at org.eclipse.swt.widgets.Display.sendEvent(Display.java:4353)
    	at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1061)
    	at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:4172)
    	at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3761)
    	at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine$9.run(PartRenderingEngine.java:1151)
    	at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:332)
    	at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.run(PartRenderingEngine.java:1032)
    	at org.eclipse.e4.ui.internal.workbench.E4Workbench.createAndRunUI(E4Workbench.java:148)
    	at org.eclipse.ui.internal.Workbench$5.run(Workbench.java:636)
    	at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:332)
    	at org.eclipse.ui.internal.Workbench.createAndRunWorkbench(Workbench.java:579)
    	at org.eclipse.ui.PlatformUI.createAndRunWorkbench(PlatformUI.java:150)
    	at com.novell.idm.rcp.DesignerApplication.start(DesignerApplication.java:118)
    	at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:196)
    	at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:134)
    	at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:104)
    	at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:380)
    	at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:235)
    	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    	at java.lang.reflect.Method.invoke(Method.java:498)
    	at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:648)
    	at org.eclipse.equinox.launcher.Main.basicRun(Main.java:603)
    	at org.eclipse.equinox.launcher.Main.run(Main.java:1465)
    	at org.eclipse.equinox.launcher.Main.main(Main.java:1438)
    

  • 0   in reply to 

    The easiest way to check the certificate is to use KeyStore Explorer or Apache Directory Studio.

     KeyStore Explorer - https://keystore-explorer.org/

    Apache Directory Studio - directory.apache.org/.../downloads.html