LDAP operators failing on ports 636 and 3269
search cancel

LDAP operators failing on ports 636 and 3269

book

Article ID: 281809

calendar_today

Updated On:

Products

CA Process Automation Base Process Automation Manager

Issue/Introduction

When trying to execute an LDAP operator in ITPAM, it works when using an unsecured connection over port 389, but when trying to implement an SSL connection using port 636 ie 3269, it fails.

In the c2o.log, location C:\Program Files\CA\PAM\wildfly\standalone\log

<date> <time> INFO  [com.optinuity.c2o.service.serviceoperation.ldapserviceoperation.RunnerLDAPGetUsersServiceOperation] [<session id>] LDAPGetUsersServiceOperation started
<date> <time> INFO  [com.optinuity.c2o.service.serviceoperation.ldapserviceoperation.RunnerLDAPGetUsersServiceOperation] [<session id>] LDAPGetUsersServiceOperation Parameters set
<date> <time> INFO  [com.optinuity.c2o.service.serviceoperation.ldapserviceoperation.RunnerLDAPGetUsersServiceOperation] [<session id>] Processing: LDAPGetUsersServiceOperation
<date> <time> INFO  [com.optinuity.c2o.service.serviceoperation.ldapserviceoperation.LDAPWrapper] [<session id>] createSession: method started.
<date> <time> INFO  [com.optinuity.c2o.service.serviceoperation.ldapserviceoperation.LDAPWrapper] [<session id>] createSession: Create Session: <ITPAM server>:636
<date> <time> ERROR [com.optinuity.c2o.service.serviceoperation.ldapserviceoperation.RunnerLDAPGetUsersServiceOperation] [<session id>] javax.naming.NamingException: LDAP connection has been closed
<date> <time> INFO  [com.optinuity.c2o.service.serviceoperation.ldapserviceoperation.LDAPWrapper] [<session id>] destroySession: method started.
<date> <time> ERROR [com.optinuity.c2o.service.serviceoperation.ldapserviceoperation.RunnerLDAPGetUsersServiceOperation] [<session id>] LDAPGetUsersServiceOperation failed to execute
com.optinuity.c2o.util.C2OException: LDAP connection has been closed
at com.optinuity.c2o.service.serviceoperation.ldapserviceoperation.RunnerLDAPGetUsersServiceOperation.processRequestedOperation(RunnerLDAPGetUsersServiceOperation.java:365) ~[ldapservice.jar:04.4.00.100]

Directory Services configuration page looks like this:

Directory Services configuration page can be accessed via PAM Orchestrator, Configuration Tab.  Choose "Domain" in the left hand pane under "Configuration Browser", select "Connectors" tab, then "Directory Services

Environment

ITPAM 4.4 and up

Resolution

Please add the following settings to the Directory Services configuration page:

 "Security Authentication" --> "simple"
 "Security protocol" ---> "ssl"

After this, and adding any missing certificates to the JDK/JRE cacerts running PAM (or PAM Agent) the operator now works.

Additional Information

Which certificate must be added to the JRE cacerts keystore will depend a lot on the implementation of the certificates.

However, in this customer's case the certificates that had to be implemented were Third Party Sign (globalsign) and the client's own certificate.

Should there be an issue with LDAP configuration, the following entries would be of value to examine as they will all have some elements of the certificate setup in question.

- c2osvcw.conf file from the PAM install location, C:\Program Files\CA\PAM\wildfly\standalone\bin\
- OasisConfig.properties file from PAM install location, C:\Program Files\CA\PAM\wildfly\standalone\.config\
- cacerts file from JDK location where PAM is operating, usually a location such as "C:\Program Files\Java\jdk-11\lib\security\"
- ldap-cert-export.cer certificate file output.  See below.

The following keytool command may also be used to review the LDAP Server's SSL certificate information:
"C:\Program Files\Java\jdk-11\bin\keytool" -printcert -sslserver SSLSERVER.EXAMPLE.COM:636 -rfc > ldap-cert-export.cer

Powered by Wolken Software