• Can connect LDAP with command when bypassing cert but when trying to use cert we get the following:

TLS certificate verification: Error, unable to get local issuer certificate
TLS: can't connect: error:0A000086:SSL routines::certificate verify failed (unable to get local issuer certificate).
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

• In the runtime.log we see the following errors:

"Unable to validate Active Directory credentials. Please check your Active Directory DNS name, port, and SSL settings as well as your username and password.(View details)"

" ["application-akka.actor.default-dispatcher-33" INFO] [com.vmware.loginsight.api.providers.ad.ADProvider] [Failed validation of AD Domain.]
com.vmware.loginsight.commons.exceptions.AuthenticationException: Unable to validate Active Directory credentials. Please check your Active Directory DNS name, port, and SSL settings as well as your username and password."

• Trusted root/intermediate CA certs have been added to the trusted cert store within Aria Ops for Logs

Aria operations for Logs 8.18.3

Log Insight and domain controller unable to establish connection with some cipher suites. 

To modify the allowed cipher suites preform the following workaround on all nodes. Take snapshots of all nodes prior to making changes. 

1. Modify the java.security file jdk.tls.disabledAlgorithms with the following process:

vim /usr/java/default/conf/security/java.security

•  Find following lines:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, {color}
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, {color}
    RSA keySize < 512, DESede, {color}
    TLS_RSA_WITH_AES_256_CBC_SHA, {color}
    TLS_RSA_WITH_AES_256_CBC_SHA256, {color}
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, {color}
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, {color}
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, {color}
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, {color}
    TLS_RSA_WITH_AES_128_CBC_SHA, {color}
    TLS_RSA_WITH_AES_128_CBC_SHA256, {color}
    include jdk.disabled.namedCurves

• Depending on the version it may be slightly different from the example above we are looking specifically for the "jdk.tls.disabledAlgorithms" property. A list of variables are assigned to that property. We need to delete the ones listed below:

TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256

• After deleting those variables the "jdk.tls.disabledAlgorithms" property should look like this:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    RSA keySize < 512, DESede, \
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, \
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, \
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, \
    include jdk.disabled.namedCurves

2. Modify the daemon loginsight-daemon shell script to comment out Djdk.tls.client.cipherSuites  and  Djdk.tls.server.cipherSuites with the process below:

vim /usr/lib/loginsight/application/sbin/loginsight-daemon.sh

• Find two lines beginning with

STRATA_JAVA_OPTS+=" -Djdk.tls.client.cipherSuites=,
STRATA_JAVA_OPTS+=" -Djdk.tls.server.cipherSuites=

• Comment those out by adding a # symbol at the beginning. Like this:

#STRATA_JAVA_OPTS+=" -Djdk.tls.client.cipherSuites=TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"
#STRATA_JAVA_OPTS+=" -Djdk.tls.server.cipherSuites=TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256"

Note, that the actual value (part after = symbol) may be different depending on the version

3. Restart loginsight with the following command

systemctl restart loginsight