Symantec Directory: ssld/ldaps no longer works after upgrading to Directory 14.1 sp6
search cancel

Symantec Directory: ssld/ldaps no longer works after upgrading to Directory 14.1 sp6

book

Article ID: 383883

calendar_today

Updated On:

Products

CA Directory SITEMINDER

Issue/Introduction

There are two possible scenarios a working Symantec Directory may experience ssld or ldaps no longer works after upgrading to Directory 14.1 sp6:

  • a working DSA may no longer start
  • a working DSA starts but some of the previously functioning ldaps connection may no longer works or falls back to ldap connection without secure communication 

Environment

Symantec Directory 14.1 SP6

Cause

Symantec Directory 14.1 SP6 upgraded its shared component CAPKI to CAPKI6. For secure communication, it now supports TLS 1.2 minimally.

Resolution

For the two scenarios:

Fix "a working DSA no longer starts"

Starts in Symantec Directory 14.1 SP6, the minimal secure communication requires TLS 1.2. As a result, the protocol setting within the set ssl command see in the following snippet:

set ssl = {
   cert-dir = "config/ssld/personalities"
   ca-file = "config/ssld/trusted.pem"    

   protocol = tls

...
};

now needs to be removed, commented out or set to either tlsv12 or tlsv13 as 14.1 SP6 simply does not allow one to set it to lower security level. Note that this setting tends to exist in a dxc file under config/ssld/ on in the dxi file when the DSA is managed by Management UI. TLS 1.3 support starts with 14.1/sp6.

The product documentation indicates that protocl could be set to one of ssl, tls, tlsv11, tlsv12, and tlsv13. The lower secured communication setting is only valid for Symantec 14.1 SP5 and lower.

Fix "previously functioning ldaps connection no longer works"

A usual LDAPS connection starts with a ldap client initiates a communication attempt with Symantec Directory DSA. As a result, the ldap client that is attempting to communicate with a Symantec Directory 14.1 SP6 DSA will need to use either TLS 1.2 or TLS 1.3 to negotiate the communication channel to use.

In the field, we have seen at least one known incident where an ldap client was configured to use TLS 1.1 to communicate and failed. To avoid this type of failure, one needs to plan to address this requirement before upgrading Symantec Directory to 14.1 SP6.

Additional Information

The CAPKI6 happens to be the folder name used under the Shared Components after upgrading to Symantec Directory to 14.1 SP6. As an example, instead of CAPKI6, 14.1 SP5 uses CAPKI5. 

See the following link, for more information regarding set ssl command:

set ssl Command -- Configure SSL

Powered by Wolken Software