search cancel

Unable to perform LDAP sync to AD Controller

book

Article ID: 214523

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

PAM Admin has many AD Domains that they have successfully integrated into but for 1 they are getting the following errors:

In the session logs:

PAM-LDAP-0004: bad certificate.

Inside the ldapimporter verbose logging we get the error:

org.bouncycastle.tls.tlsfatalalert: bad_certificate

There were no errors in the Tomcat logs

 

 

Cause

AD Certificate was using the signature algorithm of RSASSA_PSS and not the traditional shaRSA256, SHA1RSA

Environment

Release : 3.4.x

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

In PAM the underlining solution we use openjdk 8 - which doesn't support this signature algorithm yet.

Please use either shaRSA256, SHA1RSA signature algorithm on your AD certificates.