Authentication error after upgrading to PAM 3.x version
Article ID: 105200
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)
PAM SAFENET LUNA HSM
CA Privileged Access Manager (PAM)
Issue/Introduction
Authentication error after upgrading to 3.2 version
Customer upgraded their PAM 2.8.x to 3.0.0 --> 3.0.1 --> 3.1.1 --> 3.2.0 and LDAP Authentication fails when trying to logon to PAM.
Customer upgraded their PAM 2.8.x to 3.0.0 --> 3.0.1 --> 3.1.1 --> 3.2.0 and LDAP Authentication fails when trying to logon to PAM.
Cause
On PAM 3.0.1, it updates the /etc/ldap/ldap.conf cipher list by restricting it to couple of ciphers as below.
/etc/ldap/ldap.conf
TLS_CIPHER_SUITE AES256-SHA:AES128-SHA
This causes the PAM to fail handshaking secure connection to AD(or LDAP).
In the xcd_spfd.log, following error is found.
2018-07-06 00:15:41 27896 INFO HandshakeSSL: SSL connection using AES256-SHA256 (TLSv1.2)
...
2018-07-06 00:15:41 27896 ERROR clientToServerTransfer: TrafficHandler:: Unable to read from client socket!
/etc/ldap/ldap.conf
TLS_CIPHER_SUITE AES256-SHA:AES128-SHA
This causes the PAM to fail handshaking secure connection to AD(or LDAP).
In the xcd_spfd.log, following error is found.
2018-07-06 00:15:41 27896 INFO HandshakeSSL: SSL connection using AES256-SHA256 (TLSv1.2)
...
2018-07-06 00:15:41 27896 ERROR clientToServerTransfer: TrafficHandler:: Unable to read from client socket!
Environment
PAM Upgrade from 2.8.x to 3.0.0 --> 3.0.1 --> 3.1.1 --> 3.2.0
Resolution
If you have encountered this issue, you can open a support ticket and have support engineer to fix it manually by updating the /etc/ldap/ldap.conf file to restore the default PAM ciphers list.
From:
TLS_CIPHER_SUITE AES256-SHA:AES128-SHA
To:
TLS_CIPHER_SUITE NORMAL:+SECURE256:+SECURE128:+SHA256
Restart of PAM is not required.
Once the /etc/ldap/ldap.conf file is updated, you can try logging on to PAM using LDAP to confirm.
In case of upgrading PAM 2.8.x to 3.x, customer should avoid PAM 3.0.1 (or apply 3.0.1.02 prior to upgrading to other higher version of PAM).
From:
TLS_CIPHER_SUITE AES256-SHA:AES128-SHA
To:
TLS_CIPHER_SUITE NORMAL:+SECURE256:+SECURE128:+SHA256
Restart of PAM is not required.
Once the /etc/ldap/ldap.conf file is updated, you can try logging on to PAM using LDAP to confirm.
In case of upgrading PAM 2.8.x to 3.x, customer should avoid PAM 3.0.1 (or apply 3.0.1.02 prior to upgrading to other higher version of PAM).
Additional Information
Feedback
Yes
No
Powered by
