When an LDAP user attempts to log in via CF CLI, authentication fails with a timeout error. Following is the relevant snippet from the UAA logs :

[2016-09-13 17:01:42.626] uaa - 6656 [http-nio-8080-exec-8] .... DEBUG --- ChainedAuthenticationManager: Chained authentication exception:simple bind failed: xxxxxxx.org:636; nested exception is javax.naming.CommunicationException: simple bind failed: example.com:636 [Root exception is java.net.SocketException: Connection reset] at:org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206)

The JDK version shipped was updated to v1.8 build101 was updated in the UAA release shipped in ERT version 1.7.17. With this build of the JDK, the LDAP server closes the connection from its end when the client tries to establish an SSL connection. It was observed that the LDAP/Active Directory server does not negotiate a TLS v1.2 connection and immediately closes the session. With ERT 1.7.17+ there is a requirement to use TLSv1.2. If the LDAP/AD server does not support TLS v1.2, then the SSL negotiation will be terminated by the LDAP server as that is the only TLS protocol the client will now accept. With earlier ERT releases, the TLS libraries included in the JDK would fallback and negotiate a TLS v1 connection with the LDAP/AD server instead.

Upgrade Active Directory Server/LDAP server to support TLS v1.2.

Workaround

As a temporary workaround, update the "catalina_opts" in the UAA section of the ERT manifest file with the following flag:

-Djdk.tls.client.protocols=TLSv1

Updated property in the ERT manifest will look like this:

uaa:

--snip--

catalina_opts: "-Xmx768m -XX:MaxPermSize=256m -Djdk.tls.client.protocols=TLSv1"

--snip--

Save the manifest file and deploy ERT with the updated manifest from BOSH CLI using the following commands:

• BOSH deployment <path to cf manifest file>
• BOSH deploy