SSL enabled LDAP failing to authenticate after upgrade to 21.2.10
search cancel

SSL enabled LDAP failing to authenticate after upgrade to 21.2.10


Article ID: 246106


Updated On:


CA Spectrum


After upgrading to Spectrum 21.2.10 from 10.4.2, the LDAP authentication using SSL is no longer working. 

The LDAP certificate was already in the keystore file.

It has been validated that non SSL LDAP integration works (port 389).  That implies the bind password is correct.

What else can we check?


Release : 21.2



To understand the reason behind the login issue, it is recommended to enable Debug on SSORB Security SP

1. Go to the OneClick Administration page 
2. Administration > Debugging > Web Server Debug Page (Runtime) 
3. set to ON SSORB Security SP
4. at the bottom of the page set the "Desired Level" to MAX, and click Apply button.

Reproduce the problem, for instance using the Test section in the Spectrum Administration page > LDAP Configuration

After reproducing the problem, you will need to review the $SPECROOT/tomcat/logs/catalina.out (Linux) or $SPECROOT/tomcat/logs/stdout.log (Windows), and look for the Test User used for the test.


In the next example the user used for the test was "testuser". The error message in logs is as follow:

Jul 14, 2022 15:27:43.213 (https-jsse-nio-8443-exec-8) (SecuritySP) - Authenticating user with external directory server: testuser
Jul 14, 2022 15:27:43.213 (https-jsse-nio-8443-exec-8) (SecuritySP) - Opening directory context
Jul 14, 2022 15:27:43.213 (https-jsse-nio-8443-exec-8) (SecuritySP) -     connectionName CN=LDAPSpectrumIntegrationuser,OU=IntegrationAccounts,DC=MainLdap,DC=mycompany,DC=com
Jul 14, 2022 15:27:43.213 (https-jsse-nio-8443-exec-8) (SecuritySP) -     connectionURL ldap://
Jul 14, 2022 15:27:43.213 (https-jsse-nio-8443-exec-8) (SecuritySP) -     protocol ssl
Jul 14, 2022 15:27:43.213 (https-jsse-nio-8443-exec-8) (SecuritySP) -     referrals follow
Jul 14, 2022 15:27:43.213 (https-jsse-nio-8443-exec-8) (SecuritySP) -     timeoutPeriod in milliseconds 5000
Jul 14, 2022 15:27:43.213 (https-jsse-nio-8443-exec-8) (SecuritySP) -     readTimeoutPeriod in milliseconds 5000
Jul 14, 2022 15:27:43.230 - Connection Exception: javax.naming.CommunicationException: [Root exception is The server selected protocol version TLS10 is not accepted by client preferences [TLS12]]
Jul 14, 2022 15:27:43.230 - Connection problem: javax.naming.CommunicationException: SPC-OCA-10490: Could not connect to the external authentication server.

The problem, as per the message in logs, occurs because the LDAP server doesn't support TLSv1.2. Spectrum Java explicitly disable the TLSv1 protocol, and force to use TLSV1.2 ($SPECROOT/Java/jre/lib/security/

The server selected protocol version TLS10 is not accepted by client preferences [TLS12]]

You can confirm protocols supported by the LDAP server using the openssl utility as follow. 

> openssl s_client -connect <ldap_server>:636 

If you require to check a specific protocol as TLSv1.2, you can add the parameter (-tls1 | -tls1_2 | -tls1_3) at the end, as follow 

> openssl s_client -connect <ldap_server>:636 -tls1_2

New, TLSv1.2, Cipher is ...

Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2

    Start Time: 1657911170.
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes

To resolve the problem, the LDAP server needs to be configured to support TLSv1.2,


another options is pointing the Spectrum to an LDAP server that support TLSv1.2 and get the new certificates to be imported in Spectrum.

The certificates can be listed/removed/imported from Administration page > SSL Certificates

Additional Information

How to configure Spectrum to authenticate with Secure LDAP (LDAPS)

after Spectrum upgrade from 10.4.1 to 21.2.1 EEM authentication failed

LDAP Configuration Page

SSL Certificates Page