It's all about the answers!

Ask a question

After WAS config changes for TLSv1.2, getting can't connect to LDAP server


Jim Hart (1134) | asked Jul 28 '16, 1:57 p.m.
After following the instructions here to re-configure WAS for TLSv1.2,
https://jazz.net/help-dev/clm/index.jsp?topic=%2Fcom.ibm.jazz.install.doc%2Ftopics%2Ft_enable_tls1.2_was.html

my app server can no longer connect to LDAP - these errors appear and I can't log in anymore

[7/27/16 14:49:14:585 EDT] 00000051 LdapRegistryI E   SECJ0336E: Authentication failed for user pspence@us.ibm.com because of the following exception

com.ibm.websphere.security.CustomRegistryException: javax.net.ssl.SSLHandshakeException: certificate signature algorithm is not recognized

[7/27/16 14:49:14:586 EDT] 00000051 LTPAServerObj E   SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.security.CustomRegistryException:

javax.net.ssl.SSLHandshakeException: certificate signature algorithm is not recognized.

[7/27/16 14:49:14:587 EDT] 00000051 FormLoginExte E   SECJ0118E: Authentication error during authentication for user pspence@us.ibm.com

[7/27/16 14:49:23:557 EDT] 00000036 LdapRegistryI A   SECJ0418I: Cannot connect to the LDAP server ldap://bluepages.ibm.com:636.
[7/27/16 14:49:23:586 EDT] 00000036 LdapRegistryI A   SECJ0418I: Cannot connect to the LDAP server ldap://bluepages.ibm.com:636.
[7/27/16 14:49:23:621 EDT] 00000036 LdapRegistryI A   SECJ0418I: Cannot connect to the LDAP server ldap://bluepages.ibm.com:636.
[7/27/16 14:49:23:621 EDT] 00000036 LdapRegistryI E   SECJ0352E: Could not get the users matching the pattern dmacnutt@us.ibm.com because of the following exception

javax.naming.CommunicationException: anonymous bind failed: bluepages.ibm.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: certificate signature algorithm is not

recognized]
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:189)

Note that I've verified trust stores are accurate

2 answers



permanent link
Kevin Ramer (4.5k6171187) | answered Jul 28 '16, 4:54 p.m.
edited Jul 28 '16, 5:02 p.m.
I did most of those things, but did not do any FIPS business anywhere in WebSphere or the ssl.client.props  bluepages has been tls 1.2 enabled for a while now.  

You're probably going to have to disable security in WebSphere " the hard way "(*) to make corrections in its config.  I'm assuming you also use LDAP for console access....

Does your NodeDefaultTruststore have the signer for the bluepages certificate.  It has fingerprint

D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A

(*) edit the security.xml changing the first instance of enabled="true" to enabled="false" 

You might have to kill -15 on the websphere process ( assuming an *ix server .... )




permanent link
Torsten Tuchscheerer (2317) | answered Jul 29 '16, 7:23 a.m.

Hi Jim,

I think the issue is that your LDAP provider is not supporting TLSv1.2 encryption. Have a lock here:

com.ibm.websphere.security.CustomRegistryException:
javax.net.ssl.SSLHandshakeException: certificate signature algorithm is not
recognized
	
I tried the same for a CLM deployment on WAS without luck.

I think the intension of WAS developer is that all communication needs to be encrypted with TLSv1.2. Otherwise it’s useless? Especially the LDAP connection should be not the point of failure.

When you have a Linux box run sslscan like this

sslscan bluepages.ibm.com:636
	

If you don’t see TLSv1.2 in the output it’s not configured. Alternatively ask the operator of the server.

Hope this helps.


Comments
Kevin Ramer commented Jul 29 '16, 8:06 a.m.

openssl s_client -connect confirms that TLS 1.2 is available on bluepages.ibm.com
....

-----END CERTIFICATE-----
subject=/C=US/ST=New York/L=Armonk/O=International Business Machines Corporation/CN=bluepages.ibm.com
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4267 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-SHA
 
Maybe turn on javax.net.debug for ssl might give clues.

http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug


Torsten Tuchscheerer commented Jul 29 '16, 8:29 a.m.

Is JCE deployed in the WAS JRE? Without it's also not working.

Your answer


Register or to post your answer.