I try to connect from CA Web Administrator for ACF2 to CA LDAP Server using an SSL connection and I see error message TLS: can't accept: SSL message format is incorrect - what have I done wrong?

Document ID : KB000049166
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The ldap connection from CA Web Administrator is initially created using a non SSL port and then web admin requests a switch to SSL mode.
You should ensure that the acf2_config.xml file for CA Web Admin is not trying to connect to an SSL port.
An entry will be seen in the STDERR file for CA LDAP Server "TLS: can't accept: SSL message format is incorrect".

Solution:

If the SSL port is incorrectly specified in file acf2_config.xml , you will see the following entries in the STDERR file if DEBUG=ANY is specified.
It will show "tls_read: want=5, got=5" followed by "0000: 17 1d 02 01 01" (the first byte will be either 16 or 17 if this is an initial ssl connection. A non-ssl connection will show the first byte as 30 or 80)

CA Web Administrator will connect to CA LDAP server with a NON-SSl connection and then make the connection switch to SSL mode. That is the reason that the non-ssl port is specified - see below.

The slapd.conf file, used to configure CA LDAP server, has the ability to specify multiple ports to be used for the connection to it.
This is achieved via the hosturls parameter. Normally this would contain ..
hosturls ldap://:389

If you want to add an ssl connection for other applications you would specify the hosturls with ..
hosturls ldap://:389 ldaps://:636

This would mean that port 389 would be used for a non-SSL connection and port 636 would be used for an SSL connection.
Other parameters in the slapd.conf file would define the suffix used - and will look something like this.


###############################################################
# caacf2_utf database specific definition                      
###############################################################
database             caacf2_utf               
suffix               "host=SYSTEM1,o=company,c=us"
naming_mode          acf2               
###############################################################
# caacf2_utf database specific definition                      
# This definition is for Web Admin                             
###############################################################
database             caacf2_utf               
suffix               "host=SYSTEM1_im,o=company,c=us"
naming_mode        im  

When you have installed CA Web Administrator, there is a file that contains the connection information called acf2_config.xml and it resides in the ./tomcat/conf directory created during the install of the product.

This file describes the connection characteristics for the CA LDAP server.

It would look something like this...


********************************* Top of Data **********************************
<acf2 classpath="com.ca.vantage.esmldap.EsmLdapTree" loginpage="/pages/esm/acf2/
 <tree id="122910194540" desc="acf2 on SYSTEM 1">                                
   <server_info>                                                                
   <host>SYSTEM1.com</host>                                                 
   <port>389</port>                                                       
   <ldapsuffix>host=SYSTEM1_im,o=company,c=us</ldapsuffix>                 
   <numberOfRowsToDisplayFromSearch>25</numberOfRowsToDisplayFromSearch>
   <searchTimeLimit>60</searchTimeLimit>                                    
   <otherTimeLimit>10</otherTimeLimit>                                      
   <producttype>acf2</producttype>                                         
   <xmlfile>conf/esm/acf2/acf2tree.xml</xmlfile>                           
   </server_info>                                                               
 </tree>                                                                        
    <place-holder/>                                                             
</acf2>                                                                         
******************************** Bottom of Data ********************************

As you can see, the details for port and ldapsuffix will be exactly as specified in the slapd.conf file for web admin use, created during the install of CA LDAP Server.
The port will be 389 in this environment, for both an SSL and a non SSL connection.

The only parameter that is needed to define this as an SSL connection is the addition of one line in the acf2_config.xml file just before the </server_info> and </tree> - the useTLS directive - as follows...


  <xmlfile>conf/esm/acf2/acf2tree.xml</xmlfile>
  <useTLS>true</useTLS>
  </server_info>       
</tree>