14.1 Issues in Change Guardian Server

14.1.1 Configuring Change Guardian Appliance to Boot Normally

Issue: Rebooting the Change Guardian Appliance in Hyper-V causes it to go into emergency mode. This issue occurs because the operating system modifies the disk UUID during installation.

Workaround: Install Change Guardian 5.1 appliance in Hyper-V and then upgrade to Change Guardian 6.0 appliance to resolve this issue. Alternately, you can update the UUID.

To update the UUID:

  1. (Conditional) If the Change Guardian Appliance rebooted into emergency mode, login as root.

  2. Run the command ls -l /dev/disk/by-id/ and note the actual UUID of the disk.

  3. Run the command cat for each of the following files to identify the disk UUID entries therein:

    • /etc/fstab

    • /etc/default/grub

    • /boot/grub2/grub.cfg

  4. Compare the actual disk UUID entries in /dev/disk/by-id for the SCSI partitions with those in each of the above files.

  5. (Conditional) If the disk UUIDs in each of locations do not match the actual values, you must manually replace the incorrect values with actual values.

    Example 14-1 Modifying Disk UUIDs

    If the UUID entry in the fstab, grub or grub.cfg files is 14d53465420202020f21b50e22267274c823e145500a372b7, but the UUID on disk is 360022480f21b50e22267145500a372b7, there is a mismatch which you must manually correct.

    Therefore, once the UUID entry is replaced with correct values in the fstab, grub and grub.cfg files respectively, the entries therein read as below:

    • /etc/fstab 

      /dev/disk/by-id/scsi-360022480f21b50e22267145500a372b7-part1 / ext3 acl 1 1

    • /etc/default/grub 

       GRUB_CMDLINE_LINUX=" root=/dev/disk/by-id/scsi-360022480f21b50e22267145500a372b7-part1 nomodeset quiet"

    • /boot/grub2/grub.cfg 

       linux /boot/vmlinuz-4.4.131-94.29-default root=UUID=ace9acb3-ac2b-47f0-960d-5b7cd5b51b47  root=/dev/disk/by-id/scsi-360022480f21b50e22267145500a372b7-part1 nomodeset quiet

  6. (Conditional) To exit the emergency mode, reboot the virtual machine.

The SCSI disk partition UUIDs are detected correctly and the appliance boots normally.

14.1.2 Manual Configuration Required to use Registry Browser

Issue: To enable the Registry Browser in Change Guardian, you must set the repositoryEnabled flag (under HKLM\Software\Wow6432Node\NetIQ\ChangeGuardianAgent\repositoryEnabled) to 1, and then restart the agent.

Workaround: Manually set the flag to 1, when you use the Registry Browser, to avoid the error Could not connect to Windows Data Source. (Bug 945225)

14.1.3 Restarting the Change Guarding server with FIPS Mode Enabled Logs an Exception

Issue: If the Change Guardian server is FIPS-mode enabled and the server is restarted, the server logs an error message:

"An unexpected exception occurred while decrypting data failed. Root cause: CKR_ENCRYPTED_DATA_INVALID (sun.security.pkcs11.wrapper.PKCS11Exception) java.security.ProviderException: doFinal() failed"

(Bug 1129167)

Workaround: You can ignore the exception.

14.1.4 Cannot Connect to AD Hostname, Domain, or IP Address

Issue: The subject alternate name (SAN) in the AD certificate must exactly match the AD hostname, domain, or IP address to which you are trying to connect. If they do not match, the connection fails with an error message such as:

server0.0.log - CertificateException: No subject alternative DNS name matching ip address/hostname/dns found.

Workaround: Regenerate the LDAP server certificate so that the SAN or the subject name of the certificate matches that of the LDAP server.

If you are unable to regenerate the LDAP server certificate, update nq_ldap_expander and server.conf files:

  1. Open the /etc/init.d/nq_ldap_expander file.

  2. Add the following text:

    -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

    For example:

    RUNCMD="(cd ${PROCESS_BIN}; nohup  ${JAVA} -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true -jar ./${DAEMON_FILE}.jar server ./${DAEMON_FILE}.yml > ${DAEMON_FILE}.out 2>&1; rm ${PIDFILE}) &"

  3. Open the /etc/opt/novell/sentinel/config/server.conf file.

  4. Add the following text next to wrapper.java.additional.74=

    -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

    For example:

    wrapper.java.additional.74=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

  5. Go to /opt/netiq/cg/scripts.

  6. Restart the services:

    ./cg_services.sh restart

14.1.5 Creating or Modifying an LDAP Connection in FIPS Mode Fails With Certificate Error

Issue: When you create or modify an LDAP connection (CONFIGURATION > LDAP Connections) in FIPS mode, and specify a previously uploaded SSL certificate, the LDAP Configuration page displays an error: “File already exists.” (Defect 310249)

Workaround: Delete the certificate manually and create the LDAP connection.

To delete:

  1. List the certificates:

    certutil -L -d sql:/etc/opt/novell/sentinel/3rdparty/nss/

  2. Delete the SSL certificate:

    certutil -d sql:/etc/opt/novell/sentinel/3rdparty/nss/ -D -n <certificate nickname>