Policy server secure ldap connection failure

book

Article ID: 5159

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

After upgrading CA SSO policy server to 12.52SP2 , it's no more able to establish a secure connection to LDAP.

The older version of CA SSO (12.52SP1) is able to establish the secure connection to LDAP just fine.

 

smps.log shows :

[2700/3456][Thu Jan 05 2017 15:35:55][SmDsLdapConnMgr.cpp:788][WARNING][sm-Ldap-02910] SSLv3 client protocol is disabled. If connection fails configure LDAP server to support TLS protocols.

[2700/3456][Thu Jan 05 2017 15:35:55][SmDsLdapConnMgr.cpp:950][ERROR][sm-Ldap-01370] SmDsLdapConnMgr Bind. Server ad2k8-01 : 636. Error 81-Can't contact LDAP server

Cause

Starting r12.52 SP2 CA SSO Policy Server, the support for SSLv3 protocol for secure connection to LDAP store is disabled by default.

This change was done to mitigate the SSLv3 Poodle Vulnerability : 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3566

This can be seen in the smps.log as well :

[2700/3456][Thu Jan 05 2017 15:35:55][SmDsLdapConnMgr.cpp:788][WARNING][sm-Ldap-02910] SSLv3 client protocol is disabled. If connection fails configure LDAP server to support TLS protocols.

What this now means is that , Policy Server now uses the TLS protocol instead to establish a secure channel to LDAP store.

The detailed list of TLS protocol supported by different version of CA SSO Policy server is listed here :

https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=11564

So, if the supported TLS protocols are NOT enabled on the LDAP server, Policy server wouldn't be able to establish a secure connection to it.

Environment

Policy Server : R12.52SP2 and abovePolicy Server OS : ANYUser Store : ANY LDAP

Resolution

Configure LDAP server to support the TLS protocol supported by the version of CA SSO Policy server as per :

https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=11564

As of r12.52SP2 CR1 (as of this writing) , the Policy server supports only TLSv1.0 and will fail to connect it on any other protocol.

 

So ensure that TLSv1.0 is enabled on the LDAP Server to resolve this connectivity issue. 

For e.g  In case of Active Directory you can configure the SSL protocols as per this guide :

https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_TLS10

Registry Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server

Subkey: DisabledByDefault

Testing:

With TLSv1.0 Disabled on Active Directory 

1. Screenshot TLSv1.0 Disabled on AD

2. Screenshot SSL Handshake failure on Policy server side

3. Screenshot Admin UI showing connection failure

 

With TLSv1.0 Enabled on Active Directory 

1. Screenshot TLSv1.0 Enabled on AD

2. Screenshot SSL Handshake Successful on Policy server side

3. Screenshot Admin UI showing connection success and retrieving result

 

Additional Information

Attachments