Unable to setup LDAP over SSL

Scenario: 

We have configured LDAP in Adeptia to authenticate users against the Active Directory server but we want to change it to use SSL connection for the same LDAP server. We have followed the steps mentioned in the below document to configure a secure LDAP connection.

https://docs.adeptia.com/display/AC2/Configuring+Adeptia+Connect+for+LDAP+Authentication

But after Restart the services, we are getting the below error on Login.

Login failed - Error while retrieving LDAP directory context, please verify connection with LDAP server or user's credentials.

At the active directory server, we see "cannot validate token" error.

 

Troubleshooting Step: Check if TLS1.2 is enabled on the LDAP server side. If enabled, then, kindly, perform the following steps to enable the SSL logs for analysis:-

  1. Goto the location "<InstallationDirectory>/ServerKernal/etc" and open the launcher.properties file in edit mode.
  2. Now, add -Djavax.net.debug=ssl in the JVM parameter for Webrunner.
  3. Restart the Adeptia services.

The SSL debug logs will be created in WebrunnerApplication.log file located at "<AdeptiaInstallationDirectory>\ServerKernel\logs\applicationlogs".

 

Cause: After analyzing the SSL logs, we found that this issue is caused due to the unsupported Signature Algorithm certificates exchange between Adeptia & the LDAP server. This can be verified from the SSL log trace:-

CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, SHA512withECDSA, SHA256withRSA, SHA384withRSA, SHA1withRSA, SHA256withECDSA, SHA384withECDSA, SHA1withECDSA, SHA1withDSA

This issue occurs only with the Windows 2012 R2 server that doesn't support MD5 algorithm while Adeptia uses adeptiabpmtemp certificate signed with MD5WITHRSA Signature Algorithm. Due to this mismatch, Adeptia is unable to make a connection with Secure LDAP.

 

Solution: To solve this issue you need to use the new certificates signed with Signature Algorithm SHA256WITHRSA. Using the updated certificates will allow you to establish a connection with the Secure LDAP successfully. Follow the below steps to download and use the updated certificates,:-

  1. Download and extract the attached zip file adeptiaBPM.zip.
  2. Goto the location  "<AdeptiaInstallationDirectory>\AdeptiaServer\ServerKernel\etc\jetty".
  3. Take the backup of the existing adeptiaBPM.keystore file and copy the downloaded Keystore file here.  
  4. Enable the Secure LDAP configuration as provided in the documentation.
  5. Restart the Adeptia Services.
  6. Now, access the Adeptia Url with LDAP credentials.
Have more questions? Submit a request

0 Comments

Article is closed for comments.