OpenDJ Password Synchronization Plugin fails to initialize in OpenIDM 3.0.0
The purpose of this article is to provide assistance when the OpenDJ Password Synchronization Plugin fails to initialize in OpenIDM 3.0.0.
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
An error similar to the following is shown when you use the ldapmodify command to add the plugin configuration to OpenDJ's configuration:
Additional Information: The attempt to apply the configuration add failed. The preliminary checks were all successful and the entry was added to the server configuration, but at least one of the configuration add listeners reported an error when attempting to apply the change: An error occurred while trying to initialize an instance of class org.forgerock.openidm.agent.accountchange.OpenidmAccountStatusNotificationHandler as an account status notification handler as defined in configuration entry cn=OpenIDM Notification Handler,cn=Account Status Notification Handlers,cn=config: ConfigException: An error occurred during OpenIDM Password Sync plugin initialization because the ds-certificate-subject-dn: c=none,l=none,o=openidm self-signed certificate,ou=none,cn=localhost,st=none is not found in provided keystore. (OpenidmAccountStatusNotificationHandler.java:404 OpenidmAccountStatusNotificationHandler.java:169 NativeMethodAccessorImpl.java:-2 NativeMethodAccessorImpl.java:57 DelegatingMethodAccessorImpl.java:43 Method.java:606 AccountStatusNotificationHandlerConfigManager.java:438 AccountStatusNotificationHandlerConfigManager.java:376 AccountStatusNotificationHandlerConfigManager.java:306 AccountStatusNotificationHandlerConfigManager.java:64 ServerManagedObjectAddListenerAdaptor.java:73 ConfigAddListenerAdaptor.java:185 ConfigFileHandler.java:1194 LocalBackendAddOperation.java:476 LocalBackendAddOperation.java:145 LocalBackendWorkflowElement.java:688 WorkflowImpl.java:196 WorkflowTopologyNode.java:99 AddOperationBasis.java:593 TraditionalWorkerThread.java:164)Recent Changes
Installed the OpenDJ Password Synchronization Plugin.
Causes
The self-signed certificate that is generated on startup has a certificate subjectDN of: C=None, L=None, O=OpenIDM Self-Signed Certificate, OU=None, CN=localhost, whereas the subjectDN in the plugin configuration is: cn=localhost,o=OpenIDM
The plugin fails to initialize because it is expecting a different self-signed certificate.
Solution
This issue can be resolved by upgrading to OpenIDM 3.1.0 as the generated self-signed certificate is now compatible with the plugin.
Alternatively, you can update the plugin configuration to match the self-signed certificate.
In the openidm-pwsync-plugin-config.ldif file (located in the /path/to/opendj/config directory), change:
ds-certificate-subject-dn: cn=localhost,o=OpenIDM Self-Signed Certificateto:
ds-certificate-subject-dn: C=None, L=None, O=OpenIDM Self-Signed Certificate, OU=None, CN=localhost Self-Signed CertificateYou should then re-add the plugin configuration to OpenDJ's configuration using the ldapmodify command and proceed with the rest of the process to install the plugin.
See Also
Related Training
N/A
Related Issue Tracker IDs
OPENIDM-1523 (Generated self-signed cert does not work with the OpenDJ pwd sync plugin)
OPENIDM-2248 (Generated self-signed cert does not work with the OpenDJ pwd sync plugin)