Encryption Management Server does not accept inbound LDAPS connections

book

Article ID: 210947

calendar_today

Updated On:

Products

Encryption Management Server Desktop Email Encryption, Powered by PGP Technology Gateway Email Encryption Gateway Email Encryption Powered by PGP Technology

Issue/Introduction

A third party's Encryption Management Server is trying to lookup keys on your Encryption Management Server over LDAPS but cannot do so.

Encryption Management Server can lookup keys using LDAP or LDAPS. By default it will use LDAP and try to connect to keys.example.com where example.com is the domain name of the recipient's email address.

However, Encryption Management Server can also be configured to do key lookups using LDAPS. Once the key server entry is created, a mail rule is required to do the lookup.

In some cases, LDAPS key lookups fail, even though the remote Encryption Management Server has inbound LDAPS permitted.

Cause

The remote Encryption Management Server is located behind a firewall or load balancer that does SSL Offloading. This means that the inbound LDAPS connection is terminated by the firewall and the firewall creates a new connection to Encryption Management Server.

However, Encryption Management Server does not trust the inbound TLS connection from the firewall because it does not trust the certificate that the firewall is using.

Environment

Encryption Management Server 3.4.2 and above.

Resolution

You can confirm that Encryption Management Server does not trust the certificate that the firewall is using by checking the /var/log/ovid/stunnel.log file. This log will contain entries about incoming LDAPS connections. You will need to ssh to Encryption Management Server to view this log.

Enter this command to search for LDAPS entries:

grep -B1 'unable to get local issuer certificate' /var/log/ovid/stunnel.log

If you see entries like this where 10.1.2.3 is the firewall IP and the firewall certificate has a CN of firewall.example.com then this confirms that Encryption Management Server does not trust the firewall's issuing certificate chain:

2021.03.17 12:36:24 LOG5[29022:3069881200]: ldaps2 accepted connection from 10.1.2.3:43410
2021.03.17 12:36:24 LOG4[29022:3069881200]: VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /CN=firewall.example.com

Encryption Management Server needs to trust the certificates in the issuing chain of the firewall's certificate.

To do this, obtain the issuing certificates of the firewall's certificate and add them to Encryption Management Server. If the firewall is using a self-signed certificate, add the public self-signed certificate to Encryption Management Server:

  1. From the administration console, click on Keys / Trusted Keys.
  2. Click the Add Trusted Key button at the bottom of the page.
  3. Click the Choose File button to browse to the certificate file to import. It must be be in base-64 format.
  4. Enable the option Trust key for verifying SSL/TLS certificates.
  5. Click the Save button.