UIM hub LDAP SSL and tls 1.2 connection to LDAP Server: Q&As

book

Article ID: 182977

calendar_today

Updated On:

Products

NIMSOFT PROBES DX Infrastructure Management

Issue/Introduction

This KB includes some clarifications and answers to common questions around how UIM Hub LDAP SSL connection to LDAP Server works.

•  How can I enable LDAP with SSL in UIM?
•  I need to enable UIM uim ldap SSL connection to LDAP server, how and where do I load the certificates? 
•  How do I test hub to LDAP server connection? 
•  Is TLS 1.2 connection between Hub and LDAP server supported? If so, how to enable it? Or is it enabled by default?
•  When enabling SSL in the hub advanced tab for LDAP communication can I configure the protocol or the cyphers used? 
•  What SSL version is used between the hub and LDAP server? 


Environment

Release : UIM 8.x, 9.2

Component : HUB 7.x.x, 9.x

Resolution

•  How can I enable LDAP with SSL in UIM?

Under General ->Settings->LDAP Tab, checking the "Use SSL" checkbox enables the hub using the default LDAP SSL port and SSL communication when talking to the LDAP server.






•  I need to enable UIM uim ldap SSL connection to LDAP server, how and where do I load the certificates? 

There is no need to add a client certificate. The communication between the hub and the LDAP server will be encrypted, provided that the LDAP server has a valid certificate and is configured to talk SSL.

It creates an LDAP session handle that is SSL enabled.

Of course, you will have a certificate on the LDAP server to implement SSL in the first place, but as far as the hub is concerned, it simply makes an ldaps:// connection instead of an ldap:// connection.

It uses port 636 (secure ldap port) instead of port 389 (normal ldap) so make sure you can connect FROM the hub TO the LDAP server using that port.

So, the requests will be SSL-encrypted but we don't support client-side authentication (where you would put a certificate on the hub itself to 'match' the certificate on the ldap server).


•  How do I test hub to LDAP server connection? 


To test the connection FROM the primary hub you can do a telnet query for port 389 (LDAP) or port 636 (LDAP SSL)

For example,

telnet <hostname_or_ipaddress> 389


You should see something like this:

telnet <ldapsrvip> 389
Trying 10.2.x.xxx...
Connected to mainldapsrv.example.com.
Escape character is '^]'.


You could also use nmap,

nmap hostip 389


There is also a Microsoft tool called PortQry that will give you a lot of info about a port(s):


PortQry.exe -n hostip -p tcp -e 389


just replace 389 with 636 for LDAP SSL


In any case, if you don’t find any problems when testing the connection, you can enable the LDAP SSL and then test the connection while you have the hub.log open, after setting the loglevel to 5 and logsize to 40000, to observe what the hub complains about regarding the connection.

General LDAP Failure codes can be found here: https://www.ldap.com/ldap-result-code-reference
NOTE: that anonymous simple bind must be enabled if you’re not running hub v7.80 HF7 or higher.


•  Is TLS 1.2 connection between Hub and LDAP server supported? If so, how to enable it? Or is it enabled by default?

The SSL settings in the hub (normal / compatibility mode / SSL only) and the Secure hub is related to UIM network communication between components inside a UIM domain (probe to probe, hub to hub, etc.) but has nothing to do with the LDAP SSL.

Starting from hub 7.96 (Hub Release Notes)  Support is provided for communicating with an OpenLDAP server that is configured with TLS v1.2.
This implies that if TLS v1.2 is enabled on an OpenLDAP server, hub 7.96 (or later) can now communicate with it.  While providing information in the LDAP Authentication section (available under Hub Advanced Settings, LDAP, LDAP Settings), ensure that you also select the Use SSL option.

UIM 9.02 introduces TLS 1.2 support  for UIM network communication. Before UIM 9.02 there is no support for TLS 1.2 in UIM.



•  When enabling SSL in the hub advanced tab for LDAP communication can I configure the protocol or the cyphers used? 
It is not possible to configure any cyphers and the protocol used by default is LDAP Protocol


•  What SSL version is used between the hub and LDAP server? 

When "SSL" is selected the SSL v3

When SSL is not selected it uses LDAP Protocal and communication therefore not encrypted.


It is not possible to configure the cyphers for the LDAPS so we cannot use any TLS version for this with the current version. 




Additional Information

Related KB: Hub with LDAP SSL enabled is no longer connecting to the LDAP Server
Related Documentation: TLS 1.2 SupportEnable Login with LDAP , Secure hub

Attachments