VMware NSX LDAPS server connection not working POST upgrade to VMware NSX 4.1.X
search cancel

VMware NSX LDAPS server connection not working POST upgrade to VMware NSX 4.1.X

book

Article ID: 322617

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
  • You recently upgraded NSX-T to 4.1.1 or above.
  • You have an LDAPS server configured.
  • After the upgrade the LDAPS server connection is in a failed state.
  • In the VMware NSX manager /var/log/syslog and /var/log/proton/nsxapi.log, you see errors similar to the below:
WARN http-nio-127.0.0.1-7440-exec-2 CdpCrlChecker 4477 SYSTEM [nsx@6876 comp="nsx-manager" level="WARNING" reqId="xxxxxxxx-dbca-4718-ba7f-xxxxxxxxxxxx" subcomp="manager" username="admin"] CRL CN=XXXXXX,DC=XXXXXX,DC=XXXXXX,DC=XXX is signed with OID 1.2.840.113549.1.1.10


Environment

VMware NSX-T Data Center
VMware NSX 4.x

Cause

VMware NSX supports the following signature algorithms to be used for signing:
AlgorithmId.sha256WithRSAEncryption_oid ( 1, 2, 840, 113549, 1, 1, 11)
AlgorithmId.sha256WithDSA_oid (2, 16, 840, 1, 101, 3, 4, 3, 2)
AlgorithmId.sha256WithECDSA_oid (1, 2, 840, 10045, 4, 3, 2)
AlgorithmId.sha384WithECDSA_oid (1, 2, 840, 10045, 4, 3, 3)
AlgorithmId.sha384WithRSAEncryption_oid (1, 2, 840, 113549, 1, 1, 12)
AlgorithmId.sha512WithECDSA_oid (1, 2, 840, 10045, 4, 3, 4)
AlgorithmId.sha512WithRSAEncryption_oid (1, 2, 840, 113549, 1, 1, 13)

The certificate used to sign the CRL did not use one of the above signatures.

Resolution

None, this issue is due to incorrectly signed CRL certificate, which are not supported by VMware NSX.

Workaround:
You can disable CRL checking, which will prevent the connection from failing when checking the CRL of the certificate used by the LDAPS server.
Use the API call:
GET https://{{ip}}/policy/api/v1/infra/security-global-config
And change the value for "crl_check_enabled" from true to false and USE the returned data, with edit in the following POST API call:
PUT https://{{ip}}/policy/api/v1/infra/security-global-config