Problem with LDAP groups refreshung

book

Article ID: 109175

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

When the "Refresh LDAP group" is selected PAM displays an error message "Unable to connect to domain DC=Forwardinc,DC=COM. All configured LDAP servers are down. Connection to LDAP Server ldaps.forwardinc.com Port 636 failed. Failing over to the next configured server for the domain."
After trying several times to refresh, the LDAP group is refreshed.
The AD/LDAP servers are available and all are up. There are hosted in WIndows 2016.

The LDAP logs show the following error everytime that the LDAP Refresh group fails:

<thread>1</thread> 
<message>Exception failed trying to acquire ldap context to Server ldaps.emea.dsv.com Port 636</message> 
<exception> 
<message>javax.naming.CommunicationException: ldaps.emea.dsv.com:636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair] 

Cause

The problem is related to the fact that 2.x is using Java 1.7.Release 3.x uses BouncyCastle instead of Java for these connections. 

Unfortunately there is no way to change this in PAM safely. 

 

Environment

CA PAM 2.X

Resolution

This is issue is fixed in PAM 3.x 

If you have Release PAM 2, verify the registry of the AD/LDAP servers: Java 7 can only support up to 1024 bit key, but many admins are starting to change Security options to accept a minimum of 2048 bit which cannot be handled by PAM 2.x currently. 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman\ServerMinKeyBitLength 

To specify the Diffie-Helman key bit length for the TLS server default, create a ServerMinKeyBitLength entry.
This entry does not exist in the registry by default. After you have created the entry, change the DWORD value to the desired bit length.
If not configured, 2048 bit will be the default. 

Additional Information

More Information: https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings