Policy server secure ldap connection failure

Document ID : KB000005159
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

After upgrading CA SSO policy server to 12.52SP2 , it's no more able to establish a secure connection to LDAP.

The older version of CA SSO (12.52SP1) is able to establish the secure connection to LDAP just fine.

 

smps.log shows :

[2700/3456][Thu Jan 05 2017 15:35:55][SmDsLdapConnMgr.cpp:788][WARNING][sm-Ldap-02910] SSLv3 client protocol is disabled. If connection fails configure LDAP server to support TLS protocols.

[2700/3456][Thu Jan 05 2017 15:35:55][SmDsLdapConnMgr.cpp:950][ERROR][sm-Ldap-01370] SmDsLdapConnMgr Bind. Server ad2k8-01 : 636. Error 81-Can't contact LDAP server

Environment:
Policy Server : R12.52SP2 and abovePolicy Server OS : ANYUser Store : ANY LDAP
Cause:

Starting r12.52 SP2 CA SSO Policy Server, the support for SSLv3 protocol for secure connection to LDAP store is disabled by default.

This change was done to mitigate the SSLv3 Poodle Vulnerability : 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3566

This can be seen in the smps.log as well :

[2700/3456][Thu Jan 05 2017 15:35:55][SmDsLdapConnMgr.cpp:788][WARNING][sm-Ldap-02910] SSLv3 client protocol is disabled. If connection fails configure LDAP server to support TLS protocols.

What this now means is that , Policy Server now uses the TLS protocol instead to establish a secure channel to LDAP store.

The detailed list of TLS protocol supported by different version of CA SSO Policy server is listed here :

https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.TEC2147705.html

So, if the supported TLS protocols are NOT enabled on the LDAP server, Policy server wouldn't be able to establish a secure connection to it.

Resolution:

Configure LDAP server to support the TLS protocol supported by the version of CA SSO Policy server as per :

https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.TEC2147705.html

As of r12.52SP2 CR1 (as of this writing) , the Policy server supports only TLSv1.0 and will fail to connect it on any other protocol.

 

So ensure that TLSv1.0 is enabled on the LDAP Server to resolve this connectivity issue. 

For e.g  In case of Active Directory you can configure the SSL protocols as per this guide :

https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_TLS10

Testing:

With TLSv1.0 Disabled on Active Directory 

1. Screenshot TLSv1.0 Disabled on AD

AD_TLSV1.0_Disabled.jpg

2. Screenshot SSL Handshake failure on Policy server side

NONWorking_TLSV1.0Disabled.png

3. Screenshot Admin UI showing connection failure

ADMINUI.png

 

With TLSv1.0 Enabled on Active Directory 

1. Screenshot TLSv1.0 Enabled on AD

AD_TLSV1.0_Enabled.jpg

2. Screenshot SSL Handshake Successful on Policy server side

WORKING_TLSv1.0.png

3. Screenshot Admin UI showing connection success and retrieving result

Admin UI working.png

 

Additional Information: