Configuring LDAPS in VCF Automation fails with "Unable to establish SSL connection: java.net.SocketException: Connection reset"
Article ID: 430213
Updated On:
Products
Issue/Introduction
From the VCF Automation Provider Portal, navigate to Administration ⇒ Identity Provider ⇒ LDAP.
or
For Organization specific LDAPS (configuration, start at the VCF Automation Provider Portal and navigate to Organizations ⇒ Selected Organization... ⇒ Launch Organization.
In the Organization portal go to Administer ⇒ Connections ⇒ Identity Provider ⇒ LDAP.
Either Configure a new LDAPS (LDAP over SSL) Identity Provider or update an existing Identity Provider to use LDAPS .
Make sure that "Use SSL" is selected and that the port has been updated to '636':
When you save the Configuration you are presented with errors such as:
Unable to establish SSL connection: java.net.SocketException: Connection resetor
Unable to establish SSL connection: java.net.SocketException: Connection reset by peerEnvironment
VCF Automation 9.0.x
Cause
Mismatch between supported Ciphers and Protocols for VCF Automation and the Active Directory server.
Resolution
The default list of Allowed Ciphers and Protocols is as follows:
TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECD HE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECD SA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA _WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WIT H_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SH A384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_RS A_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA 256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA
SSH to a VCF Automation appliance and run the following to enable SSL Handshake Monitoring:
kubectl -n prelude edit deployment tenant-manager-0
spec:
template:
spec:
containers:
- name: tenant-manager
env:
- name: JAVA_TOOL_OPTIONS
value: "-Djavax.net.debug=ssl:handshake"Hit "ESC" then type "wq!" and hit "Enter"
Then run the following to disallow old Ciphers:
sudo -i
kubectl -n prelude get configmap tenant-manager-scripts -o yaml | sed '/^ ui\.baseHttpUri=\${HTTP_URI}/a \ ssl.ciphers.disallowed=TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA' | kubectl apply -f -
kubectl rollout restart statefulset/tenant-manager -n prelude
This removes weak Ciphers:
TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHAFeedback
