All,

This is not an IDM issue, really, but so far all three of the places it
has been seen have been IDM Remote Loaders (RL), so I'm posting here to
try to save lot of time/pain/suffering.

I summary, Bug# 1026050 (against an iManager plugin) and TID# 7018643
describe the issue pretty well.

If you export a certificate from eDirectory in b64/PEM format you may find
a blank line near the end of the certificate data, which looks innocent
enough, but is probably invalid and which causes the Remote Loader to
reject the certificate entirely with the following message:

Code:
Error Initializing connection to  DirXML: SSL library initialization
error: error: 0B084009:x509  certificate routines:
X509_load_cert_crl_file:PEM lib
Removal of the blank line before the END CERTIFICATE line is easy enough,
but it is not expected, and until the past month I've never seen this
problem. Other ways to work around this problem are to get the CA
certificate from openssl (usually possible by pointing to the LDAPS port
on the eDirectory box) or via ConsoleOne.

Code:
echo | openssl s_client -connect edir.server.goes.here:636 -showcerts
From the openssl output above grab the LAST block of certificate data, as
that will be the root certificate (vs. the first block which is the server
cert an should never be stored in a truststore). A hacked example follows:

Code:

>
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MII/WRONG/CERT/SERVER/CERT/IS/WRONG/NOT/LAST/LOOK/HAAAAAAAAHRDER
xAjN9nzAWN+1o6U6YDJ+1Vix5esbNwhWcNoi9nwT
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MII/STILL/WRONG/INTERMEDIATE/CERT/NOT/THE/LAST/ONE/KEEEP/GOING/
wSHGFg==
-----END CERTIFICATE-----
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MII/YES/THIS/IS/THE/SELF/SIGNED/CA/ROOT/CERTIFICATE/THAT/YOU/
WANT/TO/USE/FOR/ANY/TRUST/STORE/NOTICE/THE/ISSUES/AND/SUBJECT
/ARE/IDENTICAL/b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
In that hacked up example of Google's certs, the third block is the root
certificate, so copy that block out to a b64/pem file and you'd be done,
if Google were the CA for your IDM RL certificate.

If you have seen this please feel free to comment here. I know this can
be pretty frustrating to find, so feel free to comment on how much time
this has taken you to solve int he past if you have hit it. If you can
open an SR and mention the bug# above, that may help he company prioritize
as well.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...