Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-2342174.1
Update Date:2018-04-25
Keywords:
Solution Type  Problem Resolution Sure

Solution  2342174.1 :   LDAP service in 'maintenance' state. Service log reports "certutil: could not add certificate to token or database: Error adding certificate to database" SMF-8000-YX  

Related Items 
    

  • Sun ZFS Storage 7320
    •  
  • Oracle ZFS Storage ZS5-4
    •  
  • Oracle ZFS Storage ZS3-2
    •  
  • Oracle ZFS Storage ZS3-4
    •  
  • Sun ZFS Storage 7420
    •  
  • Oracle ZFS Storage ZS5-2
    •  
  • Oracle ZFS Storage ZS4-4
    •  
  • Sun ZFS Storage 7120
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>DISK>ZFS Storage>SN-DK: 7xxx NAS
    •  






In this Document


Symptoms


Changes


Cause


Solution



Created from <SR 3-16463590610>


Applies to:  

Sun ZFS Storage 7420 - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage ZS5-4 - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage ZS5-2 - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage ZS3-4 - Version All Versions to All Versions [Release All Releases]
Oracle ZFS Storage ZS3-2 - Version All Versions to All Versions [Release All Releases]
Information in this document applies to any platform.



Symptoms


The ZFS Storage Appliance reports a problem due to the LDAP serice being failed, SMF-8000-YX.
The LDAP service log will report:
    certutil: could not add certificate to token or database: Error adding certificate to database.
    svc:/network/ldap/client:default: cert conversion failed.


e.g.:




ZFSSA:> maintenance problems
ZFSSA:maintenance problems> show
Problems:

COMPONENT    DIAGNOSED            TYPE            DESCRIPTION
problem-000  2018-1-2 11:22:33    Major Defect    Service svc:/network/ldap/client:default failed - a start, stop or refresh method failed.



ZFSSA:maintenance problems> select problem-000
ZFSSA:maintenance problem-000> show
Properties:
                          uuid = 97e2add8-d50d-4536-9da7-a96c900dc6f5
                          code = SMF-8000-YX
                     diagnosed = 2018-01-02 11:22:33
                   phoned_home = never
                      severity = Major
                          type = Defect
                           url = http://support.oracle.com/msg/SMF-8000-YX
                   description = Service svc:/network/ldap/client:default failed - a start, stop or refresh method failed.
                        impact = svc:/network/ldap/client:default failed is unavailable.
                      response = The service has been placed into the maintenance state.
                        action = If the service corresponds to one of the configurable services on the appliance, check the service configuration and log
                                 files for any errors. Correct the errors and restart the service. If the service is an internal appliance service, mark
                                 the fault repaired. Please refer to the associated reference document at http://support.oracle.com/msg/SMF-8000-YX for the
                                 latest service procedures and policies regarding this diagnosis.

Components:

component-000  100%  svc:///network/ldap/client:default (faulted)




This is also seen in the BUI under: Maintenance > PROBLEMS



 


ZFSSA:> maintenance logs select system list
ENTRY      TIME               Description
entry-xx0  2018-1-2 11:22:33  Enabled.
entry-xx1  2018-1-2 11:22:33  Executing start method ("exec /lib/svc/method/ldap-client start").
                              certutil: could not add certificate to token or database: Error adding certificate to database.
                              svc:/network/ldap/client:default: cert conversion failed.
entry-xx2  2018-1-2 11:22:34  Method "start" exited with status 95.


This is also seen in the BUI under: Configuration > SERVICES > LDAP > Logs.


 


Changes


 A new LDAP server was installed replacing the old LDAP server. The new and old LDAP server had the same name.


Cause


 The LDAP certificates could not be added.


Solution


Under Configuration Settings, check for any certificates that are no longer needed and remove them, then restart the LDAP service.


 


The certificates are in the directory /var/ldap/certs.  The following command can assist in view what the certificate is used for.  I was able to use this to determine that there were some certificates that could be removed.  Once they were removed from the /var/ldap/certs directory, the LDAP service was able to be restarted via the BUI.


# openssl x509 -noout -subject -dates -in f2756d61-9376-ee3b-b437-8abfc835e235.pem
subject= /C=US/ST=CO/L=Boulder/O=XXXX/OU=XX/CN=xxxx.yyyy/emailAddress=sysadm@xxx.yy
notBefore=Nov 13 18:39:35 2008 GMT
notAfter=Nov 11 18:39:35 2018 GMT





Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback