Customer reported that their vulnerability report shows that AA text credentials exposure. The vulnerability is misconfiguration on LDAP which can expose credentials in clear text. Cleartext passwords exposed using unencrypted LDAP authentications on port 389.

Release : CA Strong Authentication 9.1

CA Advanced Authentication

The LDAP is running on encrypted version on port 636. Strong Authentication was connecting to LDAP on port 389 instead of 636. 

By default, LDAP traffic is transmitted unsecured. To fix this, follow the below steps:

• You can make LDAP traffic confidential and secure by using SSL/Transport Layer Security (TLS) technology. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a Microsoft certification authority (CA) or a non-Microsoft CA according to the guidelines in this article: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority 
• Refer to the following additional configuration settings to support LDAP Repository in Strong Authentication: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/advanced-authentication/9-1/installing/ca-adapter-installation/additional-configurations-to-support-ldap-repository-in-ca-strong-authentication.html 
• Access Strong Authentication Administration Console and log in as the Global Administrator and under the Manage Organizations section, click the Create Organization link to display the Create Organization page and on LDAP repository details section:
  • Specify the port number 636 on which the LDAP repository service is listening
  • Select the attributes that you want to encrypt to map the repository attributes
  • Enable to activate the new organization

With above setup you would be able to enable Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) in CA Strong Authentication 9.1