Hi there,
Recently upgrade Sentinel 7.0.1 appliance to 7.1.1_1058. We are seeing
certificate related errors when the Audit Server component is started.
This is used by NMAS, eDir, IDM collectors.

We are presently using the NetIQ Audit Connector 2011.1r1 and the Novell
Modular Authentication Collector 6.1r3. We could upgrade these but is
there something more fundamental to fix first from the 7.1.1 upgrade?

====
> 2013|INFO|Thread-887|esecurity.ccs.comp.evtsrcmgt.connector.auditse rver.AuditX509TrustManager.<init>
> Setting the trust level for the audit connector to OPEN
> Tue Dec 10 10:42:18 GMT 2013|INFO|eDirInst
> (/172.18.71.15:6430)|esecurity.ccs.comp.audit.AuditL ogger.execute
> Audit High:: Action by the system via Sentinel service Server
> object Audit Connector method NewConnection client Unknown failed : A
> new application eDirInst from machine 172.18.71.15 made a connection
> with the Audit Event Source Server: Audit Server ALL:1289.
> Tue Dec 10 10:42:18 GMT 2013|INFO|eDirInst
> (/172.18.71.15:6430)|esecurity.ccs.comp.evtsrcmgt.co nnector.auditserver.AuditConnectorServer.alertNewC onnection
> Audit Server ALL:1289: Received new event source from machine
> 172.18.71.15:eDirInst
> Tue Dec 10 10:42:19 GMT
> 2013|INFO|Thread-888|esecurity.ccs.comp.evtsrcmgt.connector.auditse rver.AuditX509TrustManager.<init>
> Setting the trust level for the audit connector to OPEN
> Tue Dec 10 10:42:19 GMT 2013|INFO|eDirInst
> (/172.16.12.18:42426)|esecurity.ccs.comp.audit.Audit Logger.execute
> Audit High:: Action by the system via Sentinel service Server
> object Audit Connector method NewConnection client Unknown failed : A
> new application eDirInst from machine 172.16.12.18 made a connection
> with the Audit Event Source Server: Audit Server ALL:1289.
> Tue Dec 10 10:42:19 GMT 2013|INFO|eDirInst
> (/172.16.12.18:42426)|esecurity.ccs.comp.evtsrcmgt.c onnector.auditserver.AuditConnectorServer.alertNew Connection
> Audit Server ALL:1289: Received new event source from machine
> 172.16.12.18:eDirInst
> Tue Dec 10 10:42:19 GMT
> 2013|INFO|Thread-889|esecurity.ccs.comp.evtsrcmgt.connector.auditse rver.AuditX509TrustManager.<init>
> Setting the trust level for the audit connector to OPEN
> Tue Dec 10 10:42:19 GMT
> 2013|SEVERE|Thread-889|esecurity.ccs.comp.evtsrcmgt.connector.auditse rver.DeviceSensorAuditListener$LEngine.sendClient
> /172.16.12.49:16915: Error encountered in sendClient(1):
> javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: Certificates does not conform
> to algorithm constraints
> Tue Dec 10 10:42:19 GMT
> 2013|SEVERE|Thread-889|esecurity.ccs.comp.evtsrcmgt.connector.auditse rver.DeviceSensorAuditListener$LEngine.sendClient
> ; Exception java.security.cert.*CertificateException:
> Certificates does not conform to algorithm constraints;
> javax.net.ssl.SSLHandshakeException; ; Caused by Certificates does not
> conform to algorithm constraints*;
> java.security.cert.CertificateException;
> Tue Dec 10 10:42:19 GMT
> 2013|SEVERE|Thread-889|esecurity.ccs.comp.evtsrcmgt.connector.auditse rver.DeviceSensorAuditListener$LEngine.sendClient
> javax.net.ssl.SSLHandshakeException:
> java.security.cert.CertificateException: Certificates does not conform
> to algorithm constraints
> at sun.security.ssl.Alerts.getSSLException(Unknown
> Source)
> at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
> at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
> at
> sun.security.ssl.ServerHandshaker.clientCertificat e(Unknown Source)
> at
> sun.security.ssl.ServerHandshaker.processMessage(U nknown Source)
> at sun.security.ssl.Handshaker.processLoop(Unknown
> Source)
> at sun.security.ssl.Handshaker.process_record(Unknown
> Source)
> at sun.security.ssl.SSLSocketImpl.readRecord(Unknown
> Source)
> at
> sun.security.ssl.SSLSocketImpl.performInitialHands hake(Unknown Source)
> at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown
> Source)
> at sun.security.ssl.AppOutputStream.write(Unknown
> Source)
> at sun.security.ssl.AppOutputStream.write(Unknown
> Source)
> at java.io.DataOutputStream.write(Unknown Source)
> at
> esecurity.ccs.comp.evtsrcmgt.connector.auditserver .DeviceSensorAuditListener$LEngine.sendClient(Devi ceSensorAuditListener.java:852)
> at
> esecurity.ccs.comp.evtsrcmgt.connector.auditserver .DeviceSensorAuditListener$LEngine.handle_LE_CMD_S TARTTLS(DeviceSensorAuditListener.java:569)
> at
> esecurity.ccs.comp.evtsrcmgt.connector.auditserver .DeviceSensorAuditListener$LEngine.performHandShak e(DeviceSensorAuditListener.java:510)
> at
> esecurity.ccs.comp.evtsrcmgt.connector.auditserver .DeviceSensorAuditListener$LEngine.run(DeviceSenso rAuditListener.java:365)
> Caused by: java.security.cert.CertificateException: Certificates
> does not conform to algorithm constraints
> at
> sun.security.ssl.AbstractTrustManagerWrapper.check AlgorithmConstraints(Unknown
> Source)
> at
> sun.security.ssl.AbstractTrustManagerWrapper.check AdditionalTrust(Unknown
> Source)
> at
> sun.security.ssl.AbstractTrustManagerWrapper.check ClientTrusted(Unknown
> Source)
> ... 14 more



--
kmaule
------------------------------------------------------------------------
kmaule's Profile: https://forums.netiq.com/member.php?userid=306
View this thread: https://forums.netiq.com/showthread.php?t=49418