Troubleshooting Secrets Storage

Secrets Are Not Stored in Novell SecretStore

When you use Novell SecretStore to store the secrets, the schema on the eDirectory server must be extended, and specific SAML objects and certificates must be created.

To verify that the schema was extended and the objects were created on the eDirectory server:

  1. Open an LDAP browser and connect to the LDAP server.

  2. Browse to the Security container.

  3. Look for objects similar to the following:

    If the schema has been extended correctly, you can find a SAML Assertion object in the Authorized Login Methods container. The SAML_Assertion object contains an alphanumeric generated name for a SAML affiliate object. This object has four attributes.

    The SAML affiliate object name is used to generate another container in the Security container. This new container is the <AffiliateObjectName> Trusted Root container that contains public key signing certificate.

  4. Complete one of the following:

    • If these objects do not exist, verify the following, then continue with Step 5:

      • The admin user for the user store has sufficient rights to extend the schema and add these objects to the Security container.

      • Any configured firewalls must allow NCP and LDAP traffic for Administration Console, Identity Server, and the LDAP user store.

      • Verify that you have installed the required packages.

    • If the objects exist, check for time synchronization problems. For more information, see Users Are Receiving Invalid Credential Messages.

  5. In Administration Console, modify the secret store configuration so that it is resent to the user store:

    1. Click Devices > Identity Servers > Edit > Liberty > Web Service Providers > Credential Profile.

    2. In the Remote Storage of Secrets section, remove the user store, then add it again.

    3. Click OK.

  6. Update Identity Server.

Users Are Receiving Invalid Credential Messages

The <SAML_Affiliate_Object>.SAML-Assertion.AuthorizedLoginMethods.Security object contains two attributes to determine how long credentials are valid. If your Identity Server and eDirectory are not time synchronized, the credentials can become invalid before a user has time to use them.

Ensure that the time of your Identity Server and eDirectory server are synchronized, or increase the value of the authsamlValidAfter and authsamlValidBefore attributes of the SAML affiliate object.

Secrets Are Not Stored in the LDAP Directory

  1. Open an LDAP browser and connect to the eDirectory server.

  2. Browse to the user object.

  3. Verify that the user object contains the LDAP attribute that you have specified as the attribute to store the secrets.

  4. If the attribute exists, browse to the schema and verify that the attribute has the following characteristics:

    • Single valued

    • Case ignore

    • String