After upgrading to Spectrum 21.2.10 from 10.4.2, the LDAP authentication using SSL is no longer working. 

The LDAP certificate was already in the keystore file.

It has been validated that non SSL LDAP integration works (port 389).  That implies the bind password is correct.

What else can we check?

Release : 21.2

Component : SPECTRUM INSTALLATION

In the next example the user used for the test was "testuser". The error message in logs is as follow:

Jul 14, 2022 15:27:43.213 (https-jsse-nio-8443-exec-8) (SecuritySP) - Authenticating user with external directory server: testuser
Jul 14, 2022 15:27:43.213 (https-jsse-nio-8443-exec-8) (SecuritySP) - Opening directory context
Jul 14, 2022 15:27:43.213 (https-jsse-nio-8443-exec-8) (SecuritySP) -     connectionName CN=LDAPSpectrumIntegrationuser,OU=IntegrationAccounts,DC=MainLdap,DC=mycompany,DC=com
Jul 14, 2022 15:27:43.213 (https-jsse-nio-8443-exec-8) (SecuritySP) -     connectionURL ldap://ldapserver.mycompany.com:636
Jul 14, 2022 15:27:43.213 (https-jsse-nio-8443-exec-8) (SecuritySP) -     protocol ssl
Jul 14, 2022 15:27:43.213 (https-jsse-nio-8443-exec-8) (SecuritySP) -     referrals follow
Jul 14, 2022 15:27:43.213 (https-jsse-nio-8443-exec-8) (SecuritySP) -     timeoutPeriod in milliseconds 5000
Jul 14, 2022 15:27:43.213 (https-jsse-nio-8443-exec-8) (SecuritySP) -     readTimeoutPeriod in milliseconds 5000
Jul 14, 2022 15:27:43.230 - Connection Exception: javax.naming.CommunicationException: ldapserver.mycompany.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS12]]
Jul 14, 2022 15:27:43.230 - Connection problem: javax.naming.CommunicationException: SPC-OCA-10490: Could not connect to the external authentication server.

The problem, as per the message in logs, occurs because the LDAP server doesn't support TLSv1.2. Spectrum Java explicitly disable the TLSv1 protocol, and force to use TLSV1.2 ($SPECROOT/Java/jre/lib/security/java.security)

The server selected protocol version TLS10 is not accepted by client preferences [TLS12]]

You can confirm protocols supported by the LDAP server using the openssl utility as follow. 

> openssl s_client -connect <ldap_server>:636 

If you require to check a specific protocol as TLSv1.2, you can add the parameter (-tls1 | -tls1_2 | -tls1_3) at the end, as follow 

> openssl s_client -connect <ldap_server>:636 -tls1_2

...
New, TLSv1.2, Cipher is ...
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
...             

    Start Time: 1657911170.
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
read:errno=0

To resolve the problem, the LDAP server needs to be configured to support TLSv1.2,

or

another options is pointing the Spectrum to an LDAP server that support TLSv1.2 and get the new certificates to be imported in Spectrum.

The certificates can be listed/removed/imported from Administration page > SSL Certificates

How to configure Spectrum to authenticate with Secure LDAP (LDAPS)
https://knowledge.broadcom.com/external/article?articleId=189496

after Spectrum upgrade from 10.4.1 to 21.2.1 EEM authentication failed
https://knowledge.broadcom.com/external/article?articleId=223017

LDAP Configuration Page
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/21-2/administrating/oneclick-administration/oneclick-administration-pages.html#concept.dita_99bd4cd8af497f4501d74d0457df4a5fc66ed4b4_LDAPConfigurationPage

SSL Certificates Page
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/spectrum/21-2/administrating/oneclick-administration/oneclick-administration-pages.html#concept.dita_99bd4cd8af497f4501d74d0457df4a5fc66ed4b4_SSLCertificatesPage