Overview#Issues With Remote Loader is about AD Remote Loaders & the engine on DirXML 126.96.36.199 We were upgrading from DirXML 188.8.131.52 and DirXML 184.108.40.206 to DirXML 220.127.116.11.
This maybe helpful for others when Troubleshooting DirXML.
We had some issues in PILOT, where the Edir-To-Edir drivers would not work if only one side was upgraded. Not confident of the exact issue and Support was not very helpful, stating only:
"I'm sure there is no issue when you stay within a major version number like 4.0.2."
"I'm going to add a caveat though, with all the openssl, poodle security fixes; I've seen things that used to communicate over SSL fail when one side was updated and not the other. That would be my only concern. If you use SSL between the 2 then you would need to confirm you could still connect. If you can then you are fine."
When we pefromed the upgrade from DirXML 18.104.22.168 and DirXML 22.214.171.124 to DirXML 126.96.36.199, none of the three AD drivers would start showing this error: During an upgrade of an IDV to DirXML 188.8.131.52 SE where the remote loader was NOT upgraded, we see this message in the DirXML Engine Trace file:
[03/25/15 22:41:16.693]:idv-ad ST: <nds dtdversion="4.0" ndsversion="8.x"> <source> <product edition="Standard" version="184.108.40.206">DirXML</product> <contact>Novell, Inc.</contact> </source> <input> <init-params src-dn="\WILELKE\net\willekedir\esc\DirXML\NW Driver Set\IDV to SIC AD"> <authentication-info> <server>REMOTE(hostname=10.92.1.178 port=8090 kmo=NDS2NDS)DCP0705.willeke.net</server> <user>DirXML</user> <password><!-- content suppressed --></password> </authentication-info> <driver-options> ... [03/25/15 22:54:43.249]:sic-ad PT: <nds dtdversion="4.0" ndsversion="8.x"> <input> <status level="error" type="remoteloader">java.io.IOException: SSL handshake failed, SSL_ERROR_SYSCALL, error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number</status> </input> </nds>
Cause#Identity Manager DirXML 220.127.116.11 contains a fix for CVE-2014-3566 (POODLE) which will disable the use of SSLv3 on the wire. As the remote loader code was not updated it would still try to do SSLv2 (sic should say SSLv3) which the Engine cannot longer do, there for the connection was not established.
- Identity Manager 4.0.2 Remote Loader secure connection fails with SSL3_GET_CLIENT_HELLO after Patch 7
- Is IDM Remote Loader from one version supported with a different IDM engine version?
We also heard from Support:
I was rereading the TID and saw that I made a "small" mistake, which I then corrected. TID7003488 - "Is IDM Remote Loader from one version supported with a different IDM engine version?", provides some information, but the TLSv1.x thing with 4.0.2 Patch 7 means that Patch 7 only talks to Patch 7 when you have encrypted communication, and also IDM 4.5 Engine / Remote Loader Patch 2 should be able to talk to Patch 7. But we do not really support IDM 4.0.2 <-> IDM 4.5 communication (Engine and Remote Loader) ... except for the Office 365 driver. If you stay on Patch 5 or 6 your will have more option on what will work but you will have the the OpenSSL security issues.
What to Look for#After upgrading to DirXML 18.104.22.168 SE on the DirXML Remote Loader trace file you want to see:
DirXML: [02/03/15 18:27:14.34]: Loader: Waiting for DirXML to connect on 'TCP server socket, port 8090, address localhost, using TLSv1'…
If you see:
<nds dtdversion="4.0" ndsversion="8.x"> <input> <status level="error" type="remoteloader">java.io.IOException: SSL handshake failed, SSL_ERROR_SYSCALL, error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number</status> </input> </nds>