We run Siteminder Policy Server R12.8 SP1 on Linux and use CA Directory R14 as our policy store and session store.
Directory Log messages (in the Query Log File) show the connections as shown here using TLS:
[5] 20190911.234456.011 9.1 BIND x.x.x.x dn="cn=polstoreadm,ou=People,dc=sso,dc=xxxxxxxx,dc=xxxx,dc=org" (TLSv1.2) source="client"
[5] 20190911.234456.011 9.1 RESULT success
But the SSO policy server log (smps.log) shows repeated messages about two things:
1) A warning that SSL V3 is disabled.
23696/139725113333504][Thu Sep 12 2019 01:12:32][SmObjLdapConnMgr.cpp:535][WARNING][sm-Ldap-02910] SSLv3 client protocol is disabled. If connection fails configure LDAP server to support TLS protocols.
2) Connection errors saying that SSO can't contact the LDAP server. (Even though it does connect and SSO is fully functional)
Log message snippets here:
[[23696/139723913393920][Thu Sep 12 2019 01:18:29][SmDsLdapConnMgr.cpp:645][ERROR][sm-Ldap-01280] SmDsLdapConnMgr (ldap_search_ext_s) in PingServer : Can't contact LDAP server at x.x.x.x:10101
I know this has been asked before, but do you have an explanation that we can provide to our customer to reassure them that these are false positive messages?
Release : 12.8
Component : SITEMINDER -POLICY SERVER
With the deprication on the SSLv3 Protocol, the Policy Server at this version will log the "SSLv3 client protocol is disabled. If connection fails configure LDAP server to support TLS protocols." WARNING message every time an SSL connection is made to an LDAP Directory as a reminder to customers that SSLv3 is no longer supported, and if having connection issues, please make sure the back-end Directory is NOT configured for this protocol. With the R12.8.0.3 release, this message will only be logged once, and NOT every time an SSL connection needs to be made.
When SiteMinder connects to a User Directory, there are actually 3 connections made that are used; PING; BIND; DIR. The "PING" connection is used to ensure the "established" connection is still valid, by sending "objectclass=*" requests. If there is a failure on the "established" connection, then you will see the following error message; ERROR][sm-Ldap-01280] SmDsLdapConnMgr (ldap_search_ext_s) in PingServer : Can't contact LDAP server at x.x.x.x:10101 Again, this is on an "Established" connection (PING, BID, DIR), which implies that either some network device cut this connection, or the User Directory is in fact no longer available on this "established" connection. So, it may not be that the Directory is not available, but something "CUT" this previously established connection to this directory, which will require the Policy Server to either "REBIND" this connection if possible,or tear down all connections to this directory and failover based on your User Directory Definition configuration.