7023363: Getting error updating database in Vibe 4.0.5

This document (7023363) is provided subject to the disclaimer at the end of this document.

Environment

Vibe 4.0.5

SUSE Linux Enterprise Server 12 Service Pack 3 (SLES 12 SP3)

SUSE Linux Enterprise Server 15

Situation

When running the ./manage-database.sh database_type updateDatabase command to update the database getting the following error:

Unexpected error running Liquibase: org/kablink/liquibase/change/custom/Mirgrate/MirroredFoldersChange has been compiled by a more recent version of the Java Runtime (class file version 54.0), this version of the Java Runtime only recognizes class file versions up to 52.0

Resolution

Vibe 4.0.5 installs JDK 10 automatically. if you are gettting this error, it is looking at the old path for JDK. Before you run the updateDatabase command, enter in the correct path variable:

PATH=/opt/novell/teaming/jre/bin:$PATH

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts

7023362: Failed to create certificate request – countryName

This document (7023362) is provided subject to the disclaimer at the end of this document.

Environment

Privileged Account Manager

Situation

Unable to create a Certificate Signing Request (CSR) from the Hosts Console
The following browser dialog error when requesting a certificate for the framework manager console:
Failed to create certificate request
The following is found in the unifid.log:
Error, Error adding attribute countryName to request

Info, SSL Error: error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long

Info, admin certRequest client:localhost user:admin@<hostname>(137.65.60.249) rc:0 status:500(Failed to create certificate request) (66ms)[42078208:42078208]<90112><327680>

Resolution

The Country field of a Certificate Signing Request should be a 2-character ISO format country code.
More details can be found from documentation provided by the Certificate Authority (CA).
The following is a list of SSL Certificate Country Codes provided by Digicert as an example:

Cause

Invalid details provided in conflict with the certificate authority documentation.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts

7019592: How to Manually Upgrade Reload (Due to Proxy or Unable to Establish an HTTP Connection)

Manually download the latest version of Reload and run the Reload upgrade again.

  1. Download the latest version:
  • Reload 5 Full Version – Needed for upgrading from Reload 4 to Reload 5:

http://download.gwava.com/download.php?product=Reload&version=current

-OR-

  • Reload 5 Reduced Version – Needed for upgrading from any prior version of Reload 5.x to a newer version of Reload 5:

http://download.gwava.com/download.php?product=Reload&version=rpmr5

2. If not downloaded using a web browser on the Reload server but from a local Windows workstation instead, use WinSCP or similar utility to copy the downloaded file to the Reload server.

3. Copy the zip file to /opt/beginfinite/reload/upgrade.

4. Run the upgrade through the Reload console (SYSTEM > TOOLS > UPGRADE…) or run the Reload upgrade agent from a command prompt: “reloadu”.

Related:

7017089: Overview of Three Strikes the Patch is Out in ZENworks

This document (7017089) is provided subject to the disclaimer at the end of this document.

Environment

Novell ZENworks Configuration Management 11.4.1

Situation

This is an overview of the “three strikes the patch is out”capability in Novell ZENworks. This is a new feature added toZPM to be able to stop patch policies from continually applyingwhen a patch fails to apply.

Resolution

This can happen in multiple scenarios. The most likelyscenario is that the vendor releases a bad patch or there issoftware on the system preventing the patch to be applied. Inthis scenario, zpm still needs to attempt to patch all the goodpatches, but after 3 tries and failing to apply a bad patch, itneeds to go to quarantine for just that endpoint. Furthermore, if the patch fails to apply, then a rebootshould not happen.
If the patch is successful, but still reports as being notpatched, then a retry will occur following the reboot. This processwill repeat for 3 times. On the fourth (and subsequent) attempts, zpmwill skip the deployment and log specific messages in thezmd-messages.log file to indicate that the bad patch has beenquarantined.
Example:
The patch ‘Windows DefenderDefinition Update 1.207.1501.0 (September 30, 2015)’ can beinstalled successfully, but it can’t be changed to patched statedue to problem with the patch content.
Testing setup:
  1. Create a patch policy with two patches, ‘Windows Defender Definition Update1.207.1501.0 (September 30, 2015)’ and another normal patchwhich is supports reboot and can be changed to patched state.
  2. Publish this Patch Policy and run zac pap on the agentplatform.
  3. When the reboot dialog window appears, click the Reboot buttonand allow the machine to reboot.
  4. After the reboot, run zacpap another three times. Open the log file and observer the”Patch is in quarantine<patch policy name>” statement.
Actual result:
The installing progress will display in progress bar each timewhen running zac pap.Notice that it takes more time to perform the first three attemptsafter running zac pap, butthe fourth time will be considerably faster. This is due to thepatch deployment being skipped on the fourth (and subsequent)attempts with no reboot occurring.
Log File Information:
The zmd-messages.logfile will contain the following two log statements to aid indiagnostics:
[Patch]… “Item is not applicable or alreadypatched: <itemID>”
[Patch]… “Patch is in quarentine <patchpolicy name>”
Patch State Persistence:
The three strikes patch state is persisted. In order toapply the patch again in the future, one of the following actionscan be performed to reset the patch state:
1. Update the patch via “Update Now”subscription request and action “Update cache” on the patch
2. Perform the patch Deploy Remediationaction again
or
to troubleshoot further, delete or modify the file DeploymentResult.xml located at: %ZENWORKS_HOME%zpm and restart agent or reboot. Then redeploy the deployment or patch policy to get original cause of failure.

Additional Information

The DeploymentResult.xml count is incremented when the patch has been patched successfully via remediate action (txt file in ZPM folder shows SUCCESS). If the subsequent scans don’t show it as patched in the .state file, the patch policy will keep trying to deploy the patch until the count of 3 is reached.

NOTE: It can happen that patch scan will fail to detect the device as patched if the device hasn’t been rebooted since the remediation was done. If devices don’t reboot after patches are applied, the count could increment and patch go into quarantine due to not rebooting properly. Devices should always reboot after applying patches that require reboot lest scans return improper results.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7023360: Unable to access resources when using Sophos STAS

This document (7023360) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ eDirectory 8.8.8
Client for Open Enterprise Server 2 SP4
Sophos XG Firewall
Sophos Transparent Authentication Suite (STAS)

Situation

Unable to access Internet resources when authenticating to eDirectory through STAS.

Resolution

Ensure that each eDirectory user object has the UserID (UID) attribute populated. One approach is to use the steps outlined in Cool Solution “Setting Up UIDs in iManager based on CN Values” https://www.novell.com/coolsolutions/feature/18867.html

Cause

STAS relies on the UID being populated.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts

7021981: Connecting through a Firewall with Reflection FTP Client

Passive Mode FTP

Passive mode FTP transfers use only outward connections for both control and data connections. Reflection FTP uses passive mode by default. If you suspect your firewall is blocking inbound connections, follow the steps below to confirm that Reflection FTP Client is configured for passive mode connections.

  1. Start Reflection FTP Client.
  2. On the Connect to FTP Site dialog box, select the FTP site that you are connecting to, and then click Properties.
  3. In the Site Properties dialog box, click the Connection tab and confirm that the”Use passive mode” check box is selected.

SOCKS Proxy Server Firewalls

SOCKS proxy servers use the SOCKS protocol between the FTP client and the proxy server. Reflection FTP Client includes support for SOCKS servers.

To configure Reflection FTP Client to support a SOCKS proxy server, follow the steps below that correspond to your version of Reflection.

  1. Start Reflection FTP Client.
  2. In the Connect to FTP Site dialog box, select the FTP site that you are connecting to, and then click Security.
  3. Select the Proxy tab> Use proxy server> SOCKS. Click Configure.
  4. Enter the IP address of your SOCKS proxy server.
  5. Click OK to close the open dialog boxes, and then retry your connection.

See the product help for more information about configuring Reflection for multiple SOCKS proxy servers.

Common FTP Passthrough Server Firewalls

Passthrough servers differ from other proxy servers in that they use the FTP protocol to communicate between the FTP client and the firewall. To configure Reflection FTP Client to support common FTP Passthrough servers, follow the steps below.

  1. Start Reflection FTP Client.
  2. On the Connection menu, click Connect. In the Connect to FTP Site dialog box, select the FTP site that you are connecting to, and then click Security.
  3. On the Firewall tab, select the Use Firewall check box.
  4. In the Style drop-down list select the authentication style used by your server. For information about the available options, search on “Firewall Authentication Styles” in the product help.
  5. The Server name and User name fields on this tab become enabled or disabled depending on the authentication style you selected. Enter these values as required by your authentication type.
  6. If you want to avoid entering a required password for future connections, select “Save password” and then enter the password.
  7. If you are using the “username@servername” style and your passthrough server requires a login before the USER command, select the Passthrough authentication check box.
  8. Click OK to close all of the dialog boxes, and then retry your connection.

Uncommon FTP Passthrough Server Firewalls

There is no industry-standardized format for connecting through an FTP passthrough server. Because of the wide variation in authentication methods, you may need to experiment with the information you enter in the passthrough server and general site properties fields in Reflection.

For example, you may need to enter your firewall user name instead of your FTP server user name on the General tab of the Site Properties. Consult your firewall documentation for the required syntax.

HTTP Proxy Server Firewalls

Some firewalls support HTTP proxy connections. To configure the FTP Client to use an HTTP proxy:

  1. Start Reflection FTP Client.
  2. In the Connect to FTP Site dialog box, select the FTP site that you are connecting to, and then click Security.
  3. Select the Proxy tab > Use proxy server > HTTP. Click Configure.
  4. Enter connection information for your HTTP proxy server.
  5. Click OK to close the open dialog boxes, and then retry your connection.

Related:

  • No Related Posts

3078409: Handling ndsd (eDirectory) core files on Linux and Solaris

Sometimes the reason ndsd crashes is due to memory corruption. If this is the case, it is necessary to add variables setting to the ndsd environment to put the memory manager into a debug state. This will help to ensure that ndsd generates a core at the time the corruption occurs so the module that caused the corruption can more easily be identified in the core.

If ndsd cores due to stack corruption, Novell Technical Support will request that you add the appropriate memory manager setting and wait for another core to re-submit.

Linux

To set the necessary memory checking variable on Linux:

Systemd – SLES 12 / Redhat 7 or later: Modify the “env” file located in the /etc/opt/novell/eDirectory/conf directory, then restart the eDirectory instance. ( See 2nd bullet under “Please refer to the following notes:” for details. )

MALLOC_CHECK_=3



SysVinit
– SLES 11 / RedHat 6 or earlier: Modify the pre_ndsd_start script and the following at the very top, then restart the eDirectory instance.

MALLOC_CHECK_=3

export MALLOC_CHECK_

Please refer to the following notes:

  • The contents of the pre_ndsd_start script are sourced into ndsd at the time ndsd loads. Be aware that any permanent settings will be overwritten if left in the ndsd script the next time an eDirectory patch is applied while the pre_ndsd_start script will not be modified. For this reason changes to the ‘ndsd’ script itself should not be made. This is the purpose of the pre/post_ndsd_start scripts.

  • eDirectory on SLES 12 or RHEL 7: You must add all environment variables required for the eDirectory service in the env file located in the /etc/opt/novell/eDirectory/conf directory.

  • MALLOC_CHECK_=3 should NOT be left permanently. Once the cores have been gathered, remove this setting from the modified script and restart ndsd. This environment variable can have a performance impact on some systems due to the increased memory checking. In eDirectory 8.8, it will cause ndsd to revert back to using malloc instead of tcmalloc_miminal which was added to enhance performance.

    Another side effect of using MALLOC_CHECK_=3 is the possibility of increased coring. Malloc will cause ndsd to core whenever a memory violation is detected whether or not it would have caused ndsd to crash under normal running conditions.

    To verify this ndsd environment variable is set properly while ndsd is running, do the following as the user running the eDirectory instance (‘root’ most of the time):

    strings /proc/`pgrep ndsd`/environ | grep -i MALLOC_CHECK_

    The command above will not work on a server with multiple eDirectory instances (or ndsd processes). To check a particular instance find that instance’s process’s PID and use that directly. For PID 12345 the command would be the following:

    strings /proc/12345/environ | grep -i MALLOC_CHECK_

    After ndsd has cored, to verify the core file had the ndsd environment variable set, do the following:

    strings core.#### | grep -i MALLOC_CHECK_

    Bundle the core with MALLOC_CHECK_=3 set as in step 2.

    For more information on Malloc check see: TID 3113982 – Diagnosing Memory Heap Corruption in glibc with MALLOC_CHECK_

  • eDirectory 8.8.5 ftf2 (patch2) the location of the pre_ndsd_start has been moved from /etc/init.d to /opt/novell/eDirectory/sbin/.

Solaris

In current code, eDirectory uses libumem as the memory manager.

To configure libumem for debugging add the following to the pre_ndsd_start script at the top and restart ndsd:

UMEM_DEBUG=default

UMEM_LOGGING=transaction

export UMEM_DEBUG UMEM_LOGGING

Submit a new core with these settings in place.

Changing the location where cores files are generated

In certain situations it may be desirable to change the location where core files are generated. By default ndsd core files are placed in the dib directory. If space in this directory is limited or if another location is desired, the following can be done:

mkdir /tmp/cores

chmod 777 /tmp/cores

echo “/tmp/cores/core”> /proc/sys/kernel/core_pattern

This example would now generate the core. <pid> file in /tmp/cores

To revert back to placing cores in default location:

echo core > /proc/sys/kernel/core_pattern

Symbol build of ndsd libriaries



In some cases, a core file generated while running libraries with symbols included may be necessary to analyze the core.

This is particularly true when analyzing cores generated by the 64 bit version of ndsd since the parameters aren’t located at a specific location.

The symbol versions of the libraries can be obtained from Novell eDirectory backline support.

Related:

  • No Related Posts

7023024: Packages can’t be updated in a RES 6 or RES 7 server managed by SUSE Manager. Error: Protected multilib versions

This document (7023024) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Manager 3
SUSE Manager 3.1

Situation

Errors might differ depending on the exact version of RES 6 or RES 7 and the packages installed on them. The problem is because of installed i686 rpm’s. Examples of those, in the cases customers faced, were libstdc++ in RES 6.9 and compat-libstdc++ in RES 7.4. Other releases might be affected as well.
Salt minion logs for RES 7.4:
Protected multilib versions: libstdc++-4.8.5-16.el7_4.2.x86_64 != libstdc++-4.8.5-16.el7_4.1.i686

Error: Protected multilib versions: libgcc-4.8.5-16.el7_4.2.x86_64 != libgcc-4.8.5-16.el7_4.1.i686

Error: Protected multilib versions: systemd-libs-219-42.el7_4.10.x86_64 != systemd-libs-219-42.el7_4.7.i686

Error: Protected multilib versions: libselinux-2.5-12.el7.x86_64 != libselinux-2.5-11.el7.i686
Salt minion logs for RES 6.9:
Error: Multilib version problems found. This often means that the root

cause is something else and multilib version checking is just

pointing out that there is a problem.

Resolution

Workaround 1: Deselecting i686 packages lets everything be updated (also the i686 packages).
Workaround 2: Even if it is not recommended/supported to use yum or zypper inside SUSE Manager clients, “yum update” will fix the problem.
Fix: Install latest patches for salt, first in the salt master (SUSE Manager), restart salt-master service, then in the RES clients. Restart affected salt-minion(s) service(s). Should the patch not be available yet, please open an incident in order to request a PTF.
Once packages are installed, it is needed to schedule a “Package profile update” (Minion page -> Software -> Update Package List) in order to refresh the software profile with all the installed package versions, and then selecting all package for upgrade should work successfully.

Cause

Salt and SUSE Manager are not handling properly installed packages that have the exact same name but a different architecture. This problem is not observed on SUSE systems because different names are used for different architectures (e.g. glibc / glibc-32bit on SUSE while glibc.i686 / glibc.x86_64 on RES).
When two packages with the same name but different architecture are installed on a minion, the package profile that is gathered from salt contains only one of the installed versions of those packages, therefore SUSE Manager only targets one of them during the upgrade (without setting any arch) and this makes yum fail trying to solve what package it should choose.
A patch for this issue was released involving fixes on the salt side and also restructuring the package profile handled by the Java side in order to make SUSE Manager fully aware of multiple installed versions of the packages and avoid this situation.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts

7023054: DSfW: Unable to join a NetApp SVM to a domain.

This document (7023054) is provided subject to the disclaimer at the end of this document.

Environment

Open Enterprise Server 2015 (OES 2015) Linux Support Pack 1

Open Enterprise Server 2018 (OES 2018) Linux

Domain Services for Windows
DSfW

Situation

Attempting to join a NetApp SVM version 9.3P1 or higher fails with the following message:

Error: Machine account creation procedure failed

[ 121] Loaded the preliminary configuration.
[ 451] Created a machine account in the domain
[ 452] Successfully connected to ip x.x.x.x, port 445
using TCP
[ 456] Unable to connect to LSA service on dsfw01.ourlab.com
[ 456] Successfully connected to ip x.x.x.x, port 445
using TCP
[ 459] Unable to connect to LSA service on dsfw02.ourlab.com
[ 459] No servers available for MS_LSA, vserver: 3, domain:
ourlab.com.
**[ 459] FAILURE: Unable to make a connection (LSA:OURLAB.COM),
** result: 6940
[ 460] Could not find Windows SID
'S-1-5-21-706389590-1342203275-300340892-512'
[ 465] Deleted existing account
'CN=netapp_server,CN=Computers,DC=ourlab,DC=com'
Error: command failed: Failed to create the Active Directory machine account
"FILER01". Reason: SecD Error: no server available.

Resolution

In order to join the NetApp SVM to the DSfW domain, SMBv1 needs to be enabled. This can be done by entering the following command:

cifs security modify -vserver <virtual_server_name_here> -smb1-enabled-for-dc-connections true

Cause

DSfW only supports SMBv1 at this time. NetApp version 9.3P1 and later have SMBv1 disabled.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts

7022955: DSfW: Unable to join Windows 10 version 1709 workstation to domain.

This document (7022955) is provided subject to the disclaimer at the end of this document.

Environment

Open Enterprise Server 2015 (OES 2015) Linux

Open Enterprise Server 2015 (OES 2015) Linux Support Pack 1

Open Enterprise Server 2018 (OES 2018) Linux

Domain Services for Windows
DSfW

Situation

Attempting to join a Windows 10 workstation to a DSfW domain will fail in the following conditions:
  • The Windows 10 workstation has the Fall Creators Update version 1709 installed.
  • The Windows 10 workstation is a new installation of version 1709 or higher.
  • The DSfW domain has not been updated to the 2008/2012 functional level. NOTE: In case the domain functional level has been raised, the join operation will succeed but it is not possible to access GPO’s, SYSVOL, or any other domain resources.

Resolution

In order to join the workstation to the domain, the SMBv1 feature on the Windows 10 workstation needs to be enabled using the add or remove programs method.
Details on how to do this can be found here

Cause

SMBv1 is not installed by default in Windows 10 Fall Creators Update and Windows Server, version 1709 and later versions. DSfW only supports SMBv1 at this time.

Additional Information

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

  • No Related Posts