LDAPS connection is failing with simple bind failed error

Products

ICDx

Issue/Introduction

LDAPS is configured but AD credentials cannot log into Integrated Cyber Defense exchange (ICDx).

Failed startup connection to LDAP server [ldaps://test.domain.com:636] using Bind User [TEST\Administrator] err=[simple bind failed: test.domain.com:636]

Cause

The LDAPS server needs to be installed in the ICDx Java keystore. As of version 1.3, this must be done manually via shell commands.

Resolution

Extracting public key from Windows AD server

There are two approaches:

Export the pubic key cert using the Certificate Export Wizard provided by Windows.
Use the output of the openssl s_client connect command on the CLI and copy the key in PEM format from the output to the console.

Windows Certificate Export Wizard (Windows Server)

Open the Microsoft Management Console (MMC) by using Win+R to open the run box, then type "mmc" and press Enter or click OK.
In the File menu, choose "Add / Remove Snap In".
Double-click Certificates in the left box.
Select Computer Account and click Next.
Select Local Computer and click Finish.
Click OK to exit the prompt window.
Expand the tree: Certificates > Personal > Certificates in the MMC
Locate and click to select the certificate for the correct domain.
Right-click and select All tasks > Export.
Press Next.
Select "No, do not export the private key".
Choose Base-64 encoded X.509 (.CER) for the certificate file format and click Next.
Enter the filename and location to save the extracted file
Click Next, then finish.

OpenSSL s_client command (Linux/UNIX or Windows [must download OpenSSL for Windows, available online])

Test the SSL connection to the AD server on port 636 with the following command:

openssl s_client -connect <IP ADDRESS or SERVER NAME>:636 -showcerts

This test will fail, but will display the following output:

CONNECTED(00000003)

depth=0 CN = test.domain.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = test.domain.com

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

0 s:/CN=test.domain.com

i:/DC=com/DC=domain/DC=test/CN=test

-----BEGIN CERTIFICATE-----

SOME HASH VALUE

-----END CERTIFICATE-----

---

Server certificate

subject=/CN=test.domain.com

issuer=/DC=com/DC=domain/DC=test/CN=test

---

No client certificate CA names sent

Client Certificate Types: RSA sign, DSA sign, ECDSA sign

Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDS                               A+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512

Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA2                               56:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512

Peer signing digest: SHA1

Server Temp Key: X25519, 253 bits

---

...

Copy the text from -----BEGIN CERTIFICATE----- until -----END CERTIFICATE-----, and paste it into a file called certificate.pem. If there are multiple BEGIN and END certificates, copy and paste all of them into certificate.pem.

Importing the cert into the Java keystore

Ubuntu

Copy the certificate.pem file to /etc/ssl/certs
sudo update-ca-certificates --fresh
sudo keytool -importcert -alias MY_ALIAS -trustcacerts -file /etc/ssl/certs/certificate.pem -keystore /etc/ssl/certs/java/cacerts

RedHat Linux 7

sudo update-ca-trust enable
sudo cp certificate.cer /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract

Verification

Check the System Archive logs for any errors like below:

Failed startup connection to LDAP server [ldaps://test.domain.com:636] using Bind User [TEST\Administrator] err=[simple bind failed: test.domain.com:636]

ERRATTA

If the java keystore needs the certificate to be in PEM format for import, you will need to convert the certificate from the DER format to PEM using this command:

openssl x509 -inform der -in certificate.cer -out certificate.pem