I just installed CA LDAP Server and when it starts it immediately ends with a RC 256 and the stderr file shows messages TLS: could not initialize environment handle and TLS: Permission denied. What can cause this?

Document ID : KB000045749
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

I just installed CA LDAP Server and when it starts it immediately ends with a RC 256 and the stderr file shows messages TLS: could not initialize environment handle and TLS: Permission denied. What can cause this? 

Answer:  

The CA LDAP Server stderr file shows: 

 

[08/12|10:17:32.532204|1804000000000000] reading config file ./slapd.conf 

[08/12|10:17:32.540654|1804000000000000] line 4 (hosturls ldap://22.11.3.3:399) 

[08/12|10:17:32.541503|1804000000000000] line 14 (TLSkeyringname secring) 

.. ... .. 

.. ... .. 

 

[08/12|10:17:33.761896|1804000000000000] TLS: could not initialize environment handle. 

[08/12|10:17:33.794011|1804000000000000] TLS: Permission denied 

 

The TLS error 'Permission denied' is likely related to the CA LDAP Server access 

to the Keyring specified in the CA LDAP Server slapd.conf TLSKeyringName parameter.

 

The ACFRPTRV report can be run against the SMF active at the time of the error. 

 

Please check for violations related to the CA LDAP Server task. 

 

In order for the CA LDAP Server to access the Keyring either a FACILITY or RDATALIB

resource rule need to be created to allow access. Note the Resource Class RDATALIB

resource ringowner.ringname.LST is checked first, if there is no rule then the Resource

Class FACILITY resource IRR.DIGTCERT.LISTRING is checked. Either rule can be used,

the difference is that the Resource Class RDATALIB check is Keyring specific whereas

the Resource Class Facility check is for all Keyrings.

 

Example Rules

 

$KEY(IRR.DIGTCERT.LISTRING) TYPE(FAC)                             

 UID(UID of CA LDAP Server) SERVICE(READ) ALLOW  <-gives access to CA LDAP Server if it is the Keyring owner        

 UID(UID of CA LDAP Server) SERVICE(UPDATE) ALLOW  <-gives access to CA LDAP Server if it is Not the Keyring owner    

 

  or

 

$KEY(ringowner) TYPE(RDA) 

ringname.LST UID(UID of CA LDAP Server) ALLOW