After WAS config changes for TLSv1.2, getting can't connect to LDAP server
https://jazz.net/help-dev/clm/index.jsp?topic=%2Fcom.ibm.jazz.install.doc%2Ftopics%2Ft_enable_tls1.2_was.html
my app server can no longer connect to LDAP - these errors appear and I can't log in anymore
[7/27/16 14:49:14:585 EDT] 00000051 LdapRegistryI E SECJ0336E: Authentication failed for user pspence@us.ibm.com because of the following exception
com.ibm.websphere.security.CustomRegistryException: javax.net.ssl.SSLHandshakeException: certificate signature algorithm is not recognized
[7/27/16 14:49:14:586 EDT] 00000051 LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.security.CustomRegistryException:
javax.net.ssl.SSLHandshakeException: certificate signature algorithm is not recognized.
[7/27/16 14:49:14:587 EDT] 00000051 FormLoginExte E SECJ0118E: Authentication error during authentication for user pspence@us.ibm.com
[7/27/16 14:49:23:557 EDT] 00000036 LdapRegistryI A SECJ0418I: Cannot connect to the LDAP server ldap://bluepages.ibm.com:636.
[7/27/16 14:49:23:586 EDT] 00000036 LdapRegistryI A SECJ0418I: Cannot connect to the LDAP server ldap://bluepages.ibm.com:636.
[7/27/16 14:49:23:621 EDT] 00000036 LdapRegistryI A SECJ0418I: Cannot connect to the LDAP server ldap://bluepages.ibm.com:636.
[7/27/16 14:49:23:621 EDT] 00000036 LdapRegistryI E SECJ0352E: Could not get the users matching the pattern dmacnutt@us.ibm.com because of the following exception
javax.naming.CommunicationException: anonymous bind failed: bluepages.ibm.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: certificate signature algorithm is not
recognized]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:189)
Note that I've verified trust stores are accurate
2 answers
You're probably going to have to disable security in WebSphere " the hard way "(*) to make corrections in its config. I'm assuming you also use LDAP for console access....
Does your NodeDefaultTruststore have the signer for the bluepages certificate. It has fingerprint
D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
(*) edit the security.xml changing the first instance of enabled="true" to enabled="false"
You might have to kill -15 on the websphere process ( assuming an *ix server .... )
Hi Jim,
I think the issue is that your LDAP provider is not supporting TLSv1.2 encryption. Have a lock here:
com.ibm.websphere.security.CustomRegistryException:
javax.net.ssl.SSLHandshakeException: certificate signature algorithm is not
recognized
I tried the same for a CLM deployment on WAS without luck.
I think the intension of WAS developer is that all communication needs to be encrypted with TLSv1.2. Otherwise it’s useless? Especially the LDAP connection should be not the point of failure.
When you have a Linux box run sslscan like this
sslscan bluepages.ibm.com:636
If you don’t see TLSv1.2 in the output it’s not configured. Alternatively ask the operator of the server.
Hope this helps.
Comments
openssl s_client -connect confirms that TLS 1.2 is available on bluepages.ibm.com
....
-----END CERTIFICATE-----
subject=/C=US/ST=New York/L=Armonk/O=International Business Machines Corporation/CN=bluepages.ibm.com
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4267 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA
Maybe turn on javax.net.debug for ssl might give clues.
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug
Is JCE deployed in the WAS JRE? Without it's also not working.