No trusted certificate / SSLHandshakeException after upgrading Change Guardian in FIPS mode
Alert Rule Deployment Fails Due to Wrong IP Entry in the Host
Unable to start nq_javos process after switching from legacy profile profile_iqc to profile_javos
Windows Policy Assignment Fails Due to IP Address Change in the Server
Firewall Status Shows ‘Stopped’ in Change Guardian Appliance Environments
Restarting the Change Guarding Server with FIPS Mode Enabled Logs an Exception
Creating or Modifying an LDAP Connection in FIPS Mode Fails With Certificate Error
Issue: Alerts cannot be viewed in server0.0.logs if there are exceptions like Root cause: No trusted certificate found (sun.security.validator.ValidatorException) javax.net.ssl.SSLHandshakeException: No trusted certificate found at sun.security.ssl.Alert.createSSLException(Alert.java:131)
Workaround: Import Elasticsearch certificate to FIPS keystore. For more information, see Importing Certificates to FIPS Keystore Database.
Issue: When you install the Change Guardian server, the correlation engine takes the IP address from the host. This issue occurs because the IP address of the machine gets changed and is not updated in the host.
Workaround: Update the host entry and restart the Change Guardian server.
Issue: When you switch from legacy profile (profile_iqc) to secure profile (profile_javos), Javos service does not start.
Workaround: Check the /opt/netiq/cg/javos/javos.out file for any errors. If you see any errors related to /opt/netiq/cg/javos/javos.yml file content missing, please check if the following lines are present in /opt/netiq/cg/javos/javos.yml file. If not, add the highlighted lines to the file. After updating the /opt/netiq/cg/javos/javos.yml file, restart the Javos service with the command: /etc/init.d/nq_javos restart.
cacheUpdateInterval: 60. Recommended value is 60, minimum value is 30.
Appenders:
type: file
currentLogFilename: log/javos.log
threshold: ALL
archive: true
archivedLogFilenamePattern: log/javos-%i.log
archivedFileCount: 5
maxFileSize: 2MB
timeZone: system
logFormat: "%-5level [%date] [%t] %logger: %msg%n%rEx"
Issue: When the host name or IP address of the Change Guardian server is changed, the existing agents and CAM fail to communicate and the policy assignment too fails.
Workaround: Update the Event Destination with the new host name or IP address, For more information, see Change of IP and Host Name of the Change Guardian Server.
Issue: The status of the SuSEfirewall2 shows as “stopped” in the Change Guardian Appliance environments.
Workaround: Start the firewall and save the firewall configuration by using the command #rcSuSEfirewall2 start and #chkconfig SuSEfirewall2_init on.
Issue: Rebooting the Change Guardian Appliance in Hyper-V causes it to go into emergency mode. This issue occurs because the operating system modifies the disk UUID during installation.
Workaround: Install Change Guardian 5.1 appliance in Hyper-V and then upgrade to Change Guardian 6.0 appliance to resolve this issue. Alternately, you can update the UUID.
To update the UUID:
(Conditional) If the Change Guardian Appliance rebooted into emergency mode, login as root.
Run the command ls -l /dev/disk/by-id/ and note the actual UUID of the disk.
Run the command cat for each of the following files to identify the disk UUID entries therein:
/etc/fstab
/etc/default/grub
/boot/grub2/grub.cfg
Compare the actual disk UUID entries in /dev/disk/by-id for the SCSI partitions with those in each of the above files.
(Conditional) If the disk UUIDs in each of locations do not match the actual values, you must manually replace the incorrect values with actual values.
Example 15-1 Modifying Disk UUIDs
If the UUID entry in the fstab, grub or grub.cfg files is 14d53465420202020f21b50e22267274c823e145500a372b7, but the UUID on disk is 360022480f21b50e22267145500a372b7, there is a mismatch which you must manually correct.
Therefore, once the UUID entry is replaced with correct values in the fstab, grub and grub.cfg files respectively, the entries therein read as below:
/etc/fstab
/dev/disk/by-id/scsi-360022480f21b50e22267145500a372b7-part1 / ext3 acl 1 1
/etc/default/grub
GRUB_CMDLINE_LINUX=" root=/dev/disk/by-id/scsi-360022480f21b50e22267145500a372b7-part1 nomodeset quiet"
/boot/grub2/grub.cfg
linux /boot/vmlinuz-4.4.131-94.29-default root=UUID=ace9acb3-ac2b-47f0-960d-5b7cd5b51b47 root=/dev/disk/by-id/scsi-360022480f21b50e22267145500a372b7-part1 nomodeset quiet
(Conditional) To exit the emergency mode, reboot the virtual machine.
The SCSI disk partition UUIDs are detected correctly and the appliance boots normally.
Issue: To enable the Registry Browser in Change Guardian, you must set the repositoryEnabled flag (under HKLM\Software\Wow6432Node\NetIQ\ChangeGuardianAgent\repositoryEnabled) to 1, and then restart the agent.
Workaround: Manually set the flag to 1, when you use the Registry Browser, to avoid the error Could not connect to Windows Data Source. (Bug 945225)
Issue: If the Change Guardian server is FIPS-mode enabled and the server is restarted, the server logs an error message:
"An unexpected exception occurred while decrypting data failed. Root cause: CKR_ENCRYPTED_DATA_INVALID (sun.security.pkcs11.wrapper.PKCS11Exception) java.security.ProviderException: doFinal() failed"
(Bug 1129167)
Workaround: You can ignore the exception.
Issue: The subject alternate name (SAN) in the AD certificate must exactly match the AD hostname, domain, or IP address to which you are trying to connect. If they do not match, the connection fails with an error message such as:
server0.0.log - CertificateException: No subject alternative DNS name matching ip address/hostname/dns found.
Workaround: Regenerate the LDAP server certificate so that the SAN or the subject name of the certificate matches that of the LDAP server.
If you are unable to regenerate the LDAP server certificate, update nq_ldap_expander and server.conf files:
Open the /etc/init.d/nq_ldap_expander file.
Add the following text:
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
For example:
RUNCMD="(cd ${PROCESS_BIN}; nohup ${JAVA} -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true -jar ./${DAEMON_FILE}.jar server ./${DAEMON_FILE}.yml > ${DAEMON_FILE}.out 2>&1; rm ${PIDFILE}) &"
Open the /etc/opt/novell/sentinel/config/server.conf file.
Add the following text next to wrapper.java.additional.74=
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
For example:
wrapper.java.additional.74=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Go to /opt/netiq/cg/scripts.
Restart the services:
./cg_services.sh restart
Issue: When you create or modify an LDAP connection (CONFIGURATION > LDAP Connections) in FIPS mode, and specify a previously uploaded SSL certificate, the LDAP Configuration page displays an error: “File already exists.” (Defect 310249)
Workaround: Delete the certificate manually and create the LDAP connection.
To delete:
List the certificates:
certutil -L -d sql:/etc/opt/novell/sentinel/3rdparty/nss/
Delete the SSL certificate:
certutil -d sql:/etc/opt/novell/sentinel/3rdparty/nss/ -D -n <certificate nickname>
To modify the certificate validity period in Change Guardian server script and reconfigure agents:
Login to Change Guardian server as root and navigate to the following path:
/opt/netiq/cgutils/bin/
Edit the file createClientCerts.sh to change value of CertNumDays from 36500 to 3650 days. Save the changes.
To view the certificate validity period changes:
Updating the createClientCerts.sh file as in step 2 ensures that the validity is set to 3650 days for the fresh agent installations.
For the existing agents, you must reconfigure the agents. Login to Change Guardian Web UI and use the steps in Reconfiguring the Agent.
(Conditional) To download the agent artifacts and certificates for fresh installations:
For Change Guardian Agent for Windows follow the steps in Installing Change Guardian Agent for Windows.
For Change Guardian Agent for UNIX, follow the steps in Installing Change Guardian Agent for UNIX.
(Conditional) Replacing the certificates for manual-deployed agents:
Download and extract the ChangeGuardianAgentCertificates_<hostname>.zip file.
To replace certificate in the Change Agent for UNIX, copy the extracted vigilent-agent-pk.pem, vigilent-agent-cert.pem and javosca-bundle.pem to /usr/netiq/cmnagent/codecs/vosSSLCodec/iqlsaca/certs/.
To replace certificate in the Change Guardian agent for Windows, copy the extracted vigilent-agent-pk.pem, vigilent-agent-cert.pem and javosca-bundle.pem to C:\Program Files (x86)\NetIQ\ChangeGuardianAgent\codecs\vosSSLCodec\iqlsaca\certs.
Restart the agent services.