Symantec Directory : post-SP3 upgrade, DXtools over SSL does not work with existing certificate
search cancel

Symantec Directory : post-SP3 upgrade, DXtools over SSL does not work with existing certificate

book

Article ID: 242958

calendar_today

Updated On:

Products

CA Directory

Issue/Introduction

You may notice the fact that after upgrading Symantec Directory to 14.1.03 or 14.1.05 version, DXtools over SSL does not work with existing certificate that you have configured, which used to work fine pre-SP3 upgrade.

e.g. running following dxsearch command would result in an error and no results returned.

dxsearch -Z -h node_name:port -b "dc=ca,dc=com" "cn=*"

TLS trace: SSL_connect:SSLv3 read finished A
TLS: hostname (node_name) does not match common name in certificate (generic).
TLS: can't connect: TLS: hostname does not match name in peer certificate.
ldap_err2string
ldap_start_tls: Connect error (-11)
        additional info: TLS: hostname does not match name in peer certificate

ldap_err2string
ldap_result: Can't contact LDAP server (-1)
        additional info: TLS: hostname does not match name in peer certificate

 

Two other seen examples are:

dxsearch -H ldaps://node_name:port -b "dc=ca,dc=com" "cn=*"

ldap_bind: Can't contact LDAP server (-1)
    additional info: TLS: hostname does not match name in peer certificate

dxsearch -H ldaps://node_name:port -b "dc=ca,dc=com" "cn=*"

ldap_bind: Can't contact LDAP server (-1)
    additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (self signed certificate in certificate chain)

Environment

Release : 14.1

Component : CA Directory

Resolution

The reason for change with DXtools behavior with SSL is due to openLDAP upgrade in 14.1 SP3 (aka 14.1.03).

You may have configured the $DXHOME/config/ssld/dxldap.conf file as noted below which worked pre-SP3 upgrade.

TLS_CACERT  /opt/CA/Directory/dxserver/config/ssld/trusted.pem
# TLS_REQCERT never

Resolution is to uncomment the TLS_REQCERT line so now the file looks like:

TLS_CACERT  /opt/CA/Directory/dxserver/config/ssld/trusted.pem
TLS_REQCERT never

After that change, DXtools over SSL should work fine.

Under certain conditions, if the above setting alone does not help, you may need to export the environment variable LDAPCONF to point to this dxldap.conf. On a linux system, it can be

export LDAPCONF="$DXHOME/config/ssld/dxldap.conf"

Powered by Wolken Software