15.1 Issues in Change Guardian Server

15.1.1 No trusted certificate / SSLHandshakeException after upgrading Change Guardian in FIPS mode

Issue: Alerts cannot be viewed in server0.0.logs if there are exceptions like Root cause: No trusted certificate found (sun.security.validator.ValidatorException) javax.net.ssl.SSLHandshakeException: No trusted certificate found at sun.security.ssl.Alert.createSSLException(Alert.java:131)

Workaround: Import Elasticsearch certificate to FIPS keystore. For more information, see Importing Certificates to FIPS Keystore Database.

15.1.2 Alert Rule Deployment Fails Due to Wrong IP Entry in the Host

Issue: When you install the Change Guardian server, the correlation engine takes the IP address from the host. This issue occurs because the IP address of the machine gets changed and is not updated in the host.

Workaround: Update the host entry and restart the Change Guardian server.

15.1.3 Unable to start nq_javos process after switching from legacy profile profile_iqc to profile_javos

Issue: When you switch from legacy profile (profile_iqc) to secure profile (profile_javos), Javos service does not start.

Workaround: Check the /opt/netiq/cg/javos/javos.out file for any errors. If you see any errors related to /opt/netiq/cg/javos/javos.yml file content missing, please check if the following lines are present in /opt/netiq/cg/javos/javos.yml file. If not, add the highlighted lines to the file. After updating the /opt/netiq/cg/javos/javos.yml file, restart the Javos service with the command: /etc/init.d/nq_javos restart.

cacheUpdateInterval: 60. Recommended value is 60, minimum value is 30.

Appenders:

type: file

currentLogFilename: log/javos.log

threshold: ALL

archive: true

archivedLogFilenamePattern: log/javos-%i.log

archivedFileCount: 5

maxFileSize: 2MB

timeZone: system

logFormat: "%-5level [%date] [%t] %logger: %msg%n%rEx"

15.1.4 Windows Policy Assignment Fails Due to IP Address Change in the Server

Issue: When the host name or IP address of the Change Guardian server is changed, the existing agents and CAM fail to communicate and the policy assignment too fails.

Workaround: Update the Event Destination with the new host name or IP address, For more information, see Change of IP and Host Name of the Change Guardian Server.

15.1.5 Firewall Status Shows ‘Stopped’ in Change Guardian Appliance Environments

Issue: The status of the SuSEfirewall2 shows as “stopped” in the Change Guardian Appliance environments.

Workaround: Start the firewall and save the firewall configuration by using the command #rcSuSEfirewall2 start and #chkconfig SuSEfirewall2_init on.

15.1.6 Configuring Change Guardian Appliance to Boot Normally

Issue: Rebooting the Change Guardian Appliance in Hyper-V causes it to go into emergency mode. This issue occurs because the operating system modifies the disk UUID during installation.

Workaround: Install Change Guardian 5.1 appliance in Hyper-V and then upgrade to Change Guardian 6.0 appliance to resolve this issue. Alternately, you can update the UUID.

To update the UUID:

  1. (Conditional) If the Change Guardian Appliance rebooted into emergency mode, login as root.

  2. Run the command ls -l /dev/disk/by-id/ and note the actual UUID of the disk.

  3. Run the command cat for each of the following files to identify the disk UUID entries therein:

    • /etc/fstab

    • /etc/default/grub

    • /boot/grub2/grub.cfg

  4. Compare the actual disk UUID entries in /dev/disk/by-id for the SCSI partitions with those in each of the above files.

  5. (Conditional) If the disk UUIDs in each of locations do not match the actual values, you must manually replace the incorrect values with actual values.

    Example 15-1 Modifying Disk UUIDs

    If the UUID entry in the fstab, grub or grub.cfg files is 14d53465420202020f21b50e22267274c823e145500a372b7, but the UUID on disk is 360022480f21b50e22267145500a372b7, there is a mismatch which you must manually correct.

    Therefore, once the UUID entry is replaced with correct values in the fstab, grub and grub.cfg files respectively, the entries therein read as below:

    • /etc/fstab 

      /dev/disk/by-id/scsi-360022480f21b50e22267145500a372b7-part1 / ext3 acl 1 1

    • /etc/default/grub 

       GRUB_CMDLINE_LINUX=" root=/dev/disk/by-id/scsi-360022480f21b50e22267145500a372b7-part1 nomodeset quiet"

    • /boot/grub2/grub.cfg 

       linux /boot/vmlinuz-4.4.131-94.29-default root=UUID=ace9acb3-ac2b-47f0-960d-5b7cd5b51b47  root=/dev/disk/by-id/scsi-360022480f21b50e22267145500a372b7-part1 nomodeset quiet

  6. (Conditional) To exit the emergency mode, reboot the virtual machine.

The SCSI disk partition UUIDs are detected correctly and the appliance boots normally.

15.1.7 Manual Configuration Required to use Registry Browser

Issue: To enable the Registry Browser in Change Guardian, you must set the repositoryEnabled flag (under HKLM\Software\Wow6432Node\NetIQ\ChangeGuardianAgent\repositoryEnabled) to 1, and then restart the agent.

Workaround: Manually set the flag to 1, when you use the Registry Browser, to avoid the error Could not connect to Windows Data Source. (Bug 945225)

15.1.8 Restarting the Change Guarding Server with FIPS Mode Enabled Logs an Exception

Issue: If the Change Guardian server is FIPS-mode enabled and the server is restarted, the server logs an error message:

"An unexpected exception occurred while decrypting data failed. Root cause: CKR_ENCRYPTED_DATA_INVALID (sun.security.pkcs11.wrapper.PKCS11Exception) java.security.ProviderException: doFinal() failed"

(Bug 1129167)

Workaround: You can ignore the exception.

15.1.9 Cannot Connect to AD Hostname, Domain, or IP Address

Issue: The subject alternate name (SAN) in the AD certificate must exactly match the AD hostname, domain, or IP address to which you are trying to connect. If they do not match, the connection fails with an error message such as:

server0.0.log - CertificateException: No subject alternative DNS name matching ip address/hostname/dns found.

Workaround: Regenerate the LDAP server certificate so that the SAN or the subject name of the certificate matches that of the LDAP server.

If you are unable to regenerate the LDAP server certificate, update nq_ldap_expander and server.conf files:

  1. Open the /etc/init.d/nq_ldap_expander file.

  2. Add the following text:

    -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

    For example:

    RUNCMD="(cd ${PROCESS_BIN}; nohup  ${JAVA} -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true -jar ./${DAEMON_FILE}.jar server ./${DAEMON_FILE}.yml > ${DAEMON_FILE}.out 2>&1; rm ${PIDFILE}) &"

  3. Open the /etc/opt/novell/sentinel/config/server.conf file.

  4. Add the following text next to wrapper.java.additional.74=

    -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

    For example:

    wrapper.java.additional.74=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

  5. Go to /opt/netiq/cg/scripts.

  6. Restart the services:

    ./cg_services.sh restart

15.1.10 Creating or Modifying an LDAP Connection in FIPS Mode Fails With Certificate Error

Issue: When you create or modify an LDAP connection (CONFIGURATION > LDAP Connections) in FIPS mode, and specify a previously uploaded SSL certificate, the LDAP Configuration page displays an error: “File already exists.” (Defect 310249)

Workaround: Delete the certificate manually and create the LDAP connection.

To delete:

  1. List the certificates:

    certutil -L -d sql:/etc/opt/novell/sentinel/3rdparty/nss/

  2. Delete the SSL certificate:

    certutil -d sql:/etc/opt/novell/sentinel/3rdparty/nss/ -D -n <certificate nickname>

15.1.11 Modifying the Certificate Validity Period

To modify the certificate validity period in Change Guardian server script and reconfigure agents:

  1. Login to Change Guardian server as root and navigate to the following path:

    /opt/netiq/cgutils/bin/

  2. Edit the file createClientCerts.sh to change value of CertNumDays from 36500 to 3650 days. Save the changes.

  3. To view the certificate validity period changes:

    1. Updating the createClientCerts.sh file as in step 2 ensures that the validity is set to 3650 days for the fresh agent installations.

    2. For the existing agents, you must reconfigure the agents. Login to Change Guardian Web UI and use the steps in Reconfiguring the Agent.

  4. (Conditional) To download the agent artifacts and certificates for fresh installations:

    1. For Change Guardian Agent for Windows follow the steps in Installing Change Guardian Agent for Windows.

    2. For Change Guardian Agent for UNIX, follow the steps in Installing Change Guardian Agent for UNIX.

  5. (Conditional) Replacing the certificates for manual-deployed agents:

    Download and extract the ChangeGuardianAgentCertificates_<hostname>.zip file.

    1. To replace certificate in the Change Agent for UNIX, copy the extracted vigilent-agent-pk.pem, vigilent-agent-cert.pem and javosca-bundle.pem to /usr/netiq/cmnagent/codecs/vosSSLCodec/iqlsaca/certs/.

    2. To replace certificate in the Change Guardian agent for Windows, copy the extracted vigilent-agent-pk.pem, vigilent-agent-cert.pem and javosca-bundle.pem to C:\Program Files (x86)\NetIQ\ChangeGuardianAgent\codecs\vosSSLCodec\iqlsaca\certs.

    3. Restart the agent services.