11.1 Issues in Change Guardian Forwarder

11.1.1 Javos.log Displays SQL Error After Upgrading to Patch 2

Issue: When you upgrade to Change Guardian 6.2.1 Patch 2, the Javos log displays consistent SQL error with no functionality impacted. (Defect 790018)

Workaround: None.

11.1.2 Unable to start nq_javos process after switching from legacy profile profile_iqc to profile_javos

Issue: When you switch from legacy profile (profile_iqc) to secure profile (profile_javos), Javos service does not start.

Workaround: Check the /opt/netiq/cg/javos/javos.out file for any errors. If you see any errors related to /opt/netiq/cg/javos/javos.yml file content missing, please check if the following lines are present in /opt/netiq/cg/javos/javos.yml file. If not, add the highlighted lines to the file. After updating the /opt/netiq/cg/javos/javos.yml file, restart the Javos service with the command: /etc/init.d/nq_javos restart.

cacheUpdateInterval: 60. Recommended value is 60, minimum value is 30.

Appenders:

type: file

currentLogFilename: log/javos.log

threshold: ALL

archive: true

archivedLogFilenamePattern: log/javos-%i.log

archivedFileCount: 5

maxFileSize: 2MB

timeZone: system

logFormat: "%-5level [%date] [%t] %logger: %msg%n%rEx"

11.1.3 Windows Policy Assignment Fails Due to IP Address Change in the Server

Issue: When the host name or IP address of the Change Guardian server is changed, the existing agents and CAM fail to communicate and the policy assignment too fails.

Workaround: Update the Event Destination with the new host name or IP address, For more information, see Change of IP and Host Name of the Change Guardian Server.

11.1.4 Firewall Status Shows ‘Stopped’ in Change Guardian Appliance Environments

Issue: The status of the SuSEfirewall2 shows as “stopped” in the Change Guardian Appliance environments.

Workaround: Start the firewall and save the firewall configuration by using the command #rcSuSEfirewall2 start and #chkconfig SuSEfirewall2_init on.

11.1.5 Configuring Change Guardian Appliance to Boot Normally

Issue: Rebooting the Change Guardian Appliance in Hyper-V causes it to go into emergency mode. This issue occurs because the operating system modifies the disk UUID during installation.

Workaround: Install Change Guardian 5.1 appliance in Hyper-V and then upgrade to Change Guardian 6.0 appliance to resolve this issue. Alternately, you can update the UUID.

To update the UUID:

  1. (Conditional) If the Change Guardian Appliance rebooted into emergency mode, login as root.

  2. Run the command ls -l /dev/disk/by-id/ and note the actual UUID of the disk.

  3. Run the command cat for each of the following files to identify the disk UUID entries therein:

    • /etc/fstab

    • /etc/default/grub

    • /boot/grub2/grub.cfg

  4. Compare the actual disk UUID entries in /dev/disk/by-id for the SCSI partitions with those in each of the above files.

  5. (Conditional) If the disk UUIDs in each of locations do not match the actual values, you must manually replace the incorrect values with actual values.

    Example 11-1 Modifying Disk UUIDs

    If the UUID entry in the fstab, grub or grub.cfg files is 14d53465420202020f21b50e22267274c823e145500a372b7, but the UUID on disk is 360022480f21b50e22267145500a372b7, there is a mismatch which you must manually correct.

    Therefore, once the UUID entry is replaced with correct values in the fstab, grub and grub.cfg files respectively, the entries therein read as below:

    • /etc/fstab 

      /dev/disk/by-id/scsi-360022480f21b50e22267145500a372b7-part1 / ext3 acl 1 1

    • /etc/default/grub 

       GRUB_CMDLINE_LINUX=" root=/dev/disk/by-id/scsi-360022480f21b50e22267145500a372b7-part1 nomodeset quiet"

    • /boot/grub2/grub.cfg 

       linux /boot/vmlinuz-4.4.131-94.29-default root=UUID=ace9acb3-ac2b-47f0-960d-5b7cd5b51b47  root=/dev/disk/by-id/scsi-360022480f21b50e22267145500a372b7-part1 nomodeset quiet

  6. (Conditional) To exit the emergency mode, reboot the virtual machine.

The SCSI disk partition UUIDs are detected correctly and the appliance boots normally.

11.1.6 Manual Configuration Required to use Registry Browser

Issue: To enable the Registry Browser in Change Guardian, you must set the repositoryEnabled flag (under HKLM\Software\Wow6432Node\NetIQ\ChangeGuardianAgent\repositoryEnabled) to 1, and then restart the agent.

Workaround: Manually set the flag to 1, when you use the Registry Browser, to avoid the error Could not connect to Windows Data Source. (Bug 945225)

11.1.7 Cannot Connect to AD Hostname, Domain, or IP Address

Issue: The subject alternate name (SAN) in the AD certificate must exactly match the AD hostname, domain, or IP address to which you are trying to connect. If they do not match, the connection fails with an error message such as:

server0.0.log - CertificateException: No subject alternative DNS name matching ip address/hostname/dns found.

Workaround: Regenerate the LDAP server certificate so that the SAN or the subject name of the certificate matches that of the LDAP server.

If you are unable to regenerate the LDAP server certificate, update nq_ldap_expander and server.conf files:

  1. Open the /etc/init.d/nq_ldap_expander file.

  2. Add the following text:

    -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

    For example:

    RUNCMD="(cd ${PROCESS_BIN}; nohup  ${JAVA} -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true -jar ./${DAEMON_FILE}.jar server ./${DAEMON_FILE}.yml > ${DAEMON_FILE}.out 2>&1; rm ${PIDFILE}) &"

  3. Open the /etc/opt/novell/sentinel/config/server.conf file.

  4. Add the following text next to wrapper.java.additional.74=

    -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

    For example:

    wrapper.java.additional.74=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

  5. Go to /opt/netiq/cg/scripts.

  6. Restart the services:

    ./cg_services.sh restart

11.1.8 Modifying the Certificate Validity Period

To modify the certificate validity period in Change Guardian server script and reconfigure agents:

  1. Login to Change Guardian server as root and navigate to the following path:

    /opt/netiq/cgutils/bin/

  2. Edit the file createClientCerts.sh to change value of CertNumDays from 36500 to 3650 days. Save the changes.

  3. To view the certificate validity period changes:

    1. Updating the createClientCerts.sh file as in step 2 ensures that the validity is set to 3650 days for the fresh agent installations.

    2. For the existing agents, you must reconfigure the agents. Login to Change Guardian Web UI and use the steps in Reconfiguring Agent.

  4. (Conditional) To download the agent artifacts and certificates for fresh installations:

    1. For Change Guardian Agent for Windows follow the steps in Installing Change Guardian Agent for Windows.

    2. For Change Guardian Agent for UNIX, follow the steps in Installing Change Guardian Agent for UNIX.

  5. (Conditional) Replacing the certificates for the existing agents:

    Download and extract the ChangeGuardianAgentCertificates_<hostname>.zip file.

    1. To replace certificate in the Change Agent for UNIX, copy the extracted vigilent-agent-pk.pem, vigilent-agent-cert.pem and javosca-bundle.pem to /usr/netiq/cmnagent/codecs/vosSSLCodec/iqlsaca/certs/.

    2. To replace certificate in the Change Guardian agent for Windows, copy the extracted vigilent-agent-pk.pem, vigilent-agent-cert.pem and javosca-bundle.pem to C:\Program Files (x86)\NetIQ\ChangeGuardianAgent\codecs\vosSSLCodec\iqlsaca\certs.

    3. Restart the agent services.