As Lothar, I'd suggest the keystore approach.

But that error normally comes when you're trying to use an SSL version
which is not supported - ie. your certificates are minted for SSLv3 and
not TLS.

Are you on IDM 4.0.2 Patch 5 or later, and using an very old version of
iManager - that could be the cause.


On 13.02.18 00:24, kborecky wrote:
> Hi all,
> I've been hacking on this for hours and hours.
> My subscriber (ldap tree) edir server's edir 2 edir cert expired. I've
> been working since on getting new certs. No matter what I do, my ldap
> tree driver says
> Driver: \SMITH_TREE\SC\driverset\LDAPToVault
> Channel: Subscriber
> Status: Retry
> Message: Code(-9006) The driver returned a "retry" status
> indicating that the operation should be retried later. Detail from
> driver: SSL handshake failed, SSL_ERROR_SYSCALL,
> error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
> [02/12/18 18:12:24.552]:LDAPToVault ST:Requesting 30 second retry
> delay.
> I've tried to update them using Designer (but it doesn't seem to be
> creating the certs in the tree, so that doesn't help)
> I've tried to create them in iManager, with I believe recent plugins,
> but
> - from the LDAP side, it doesn't seem to make a difference
> - from the vault side, I get this charming error:
> Error: Driver Wizard - Error
> The following 'Exception' was thrown but not handled.
> ''Unable to create the certificates. The following error occurred:
> java.lang.ClassFormatError:
> com/novell/security/japi/pki/NPKI_Extension''.
> It's true that my LDAP tree hasn't been updated to the latest IDM
> version - my update schedule got hijacked. So it's still running 4.0.x.
> But if that were the problem, why was it working before the cert
> expired?
> If I use s_client to connect to the servers on port 8192, the certs look
> clean.
> And I did delete the existing certs before trying to regenerate them.
> So, other than shooting myself, does anyone have suggestions?
> Karla
> Not a happy camper