11.1 CIS Configuration Failure Issues

11.1.1 CIS Configuration Fails When Certificate Does Not Have SAN Name

The following procedure describes about how to create a sample Server Certificate, Server Key and CA Certificate files with SAN name:

  1. Create a temp folder.

  2. Generate CSR (Certificate Signing Request) file.

    The sample csr_detail_file.txt file is as follows:

    [req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
O= <Organization Name>
CN= <Hostname or DNS Name>

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = oes_doc.labs.wdc.acme.com
IP = 192.168.0.1

    The attribute details is as follows:

    • CN: Host name of a OES server where CIS server is installed.

    • DNS.<value>: DNS name of a OES server where CIS server is installed.

      If DNS name is provided for Gateway Server Address during CIS configuration, ensure that the same DNS name is configured. For more information, see Configure CIS as a Standalone Server in NSS Media.

    • IP: IP address of the OES server where CIS is configured.

  3. Create the .csr file using the following command:

    openssl req -new -sha256 -nodes -out csrfilename.csr -newkey rsa:2048 -keyout serverkey.pem -config <csr_detail_file name>

  4. Generate the public certificate using the .csr file and eDirectory.

    1. Go to iManager > Netiq Certificate Server > Issue Certificate.

    2. Click Choose File to select the .csr file and click Next.

    3. Select Key type as SSL or TLS and Extended key usage as Server authentication and User authentication, then click Next.

    4. Select Certificate Type as End Entity and follow the wizard to continue.

    5. Click Download the issued certificate link.

  5. Copy the generated server certificate to the temp folder.

  6. Convert the generated certificate from .der to .pem format.

    openssl x509 -inform der -in <.der file name> -out <servercert.pem>

11.1.2 Public Network Interface is not Added to Firewall Active Zone

When the OES server is installed with firewall disabled, it is set to the default zone. Thus, the public network interface is not added to the firewall active zone.

Before configuring CIS, you must first change the zone from default to public.

  1. Open Yast2 Firewall window using yast2 firewall command.

  2. Select the required ethernet device and then click Change Zone > public.

11.1.3 CIS Configuration Fails When OES is Configured with BIOS Firmware

When CIS is installed during the OES installation and if OES is configured with BIOS Firmware, some of the CIS service configuration fails. To avoid this issue, restart the server after the installation and then proceed with CIS configuration either using the FQDN or the IP address of the server. However, it can be configured using the IP address without requiring a restart of the server.

11.1.4 CIS Services Fails to Come Up

When you execute docker ps command to verify the CIS server configuration, the command does not list any of the CIS services or lists only the collector and aggregator service.

To resolve this issue, perform the following:

  • Ensure that the MariaDB and OpenSearch service are up and running with the CIS service that is configured with.

  • If firewall is running, ensure that the MariaDB port 3306 and OpenSearch port 9400 is open.

11.1.5 CIS Configuration Fails With an Error

If CIS is the first server installed on the tree, the schema is not updated. Therefore, while configuring CIS an "Undefined Attribute Type" error is displayed. To resolve this issue, extend the eDirectory schema for the CIS server.

To extend the eDirectory schema, perform the following:

  • If eDirectory and CIS is installed on the same server, run the following command:

    /opt/novell/eDirectory/bin/ndssch -h <IP address or hostname where eDirectory or CIS is running> 'cn=admin.o=novell' <file path of cis.sch>

    For example,

    /opt/novell/eDirectory/bin/ndssch -h 192.168.0.1 'cn=admin.o=novell' /opt/novell/cis/schema/cis.sch

    OR

  • If eDirectory and CIS is installed on different servers, perform the following:

    1. Copy the cis.sch file from /opt/novell/cis/schema to eDirectory server.

    2. Run the following command:

      /opt/novell/eDirectory/bin/ndssch -h <IP address or hostname where eDirectory is running> 'cn=admin.o=novell' <file path of cis.sch>

      For example,

      /opt/novell/eDirectory/bin/ndssch -h 192.168.0.1 'cn=admin.o=novell' /root/cis.sch

11.1.6 -Unable to Configure Kafka Service During CIS Configuration

CIS configuration fails with an error "Kafka configuration failed: ErrInternalError: eth0: error fetching interface information: Device not found" while configuring Kafka service. This is because the server has a network device with 'em0' as identifier instead of 'eth0'.

To avoid this issue, perform the following:

  1. Login to the server as a root user.

  2. Run the following command:

    yast2 lan

  3. On Network Settings page under Overview tab, select a network device with em0 and click Edit.

  4. On Network Card Setup page under Hardware tab, click Change and rename the Device Name to 'eth0' from 'em0'.

  5. Click Next and then click OK.