After WAS config changes for TLSv1.2, getting can't connect to LDAP server
After following the instructions here to re-configure WAS for TLSv1.2,
https://jazz.net/help-dev/clm/index.jsp?topic=%2Fcom.ibm.jazz.install.doc%2Ftopics%2Ft_enable_tls1.2_was.html my app server can no longer connect to LDAP - these errors appear and I can't log in anymore [7/27/16 14:49:14:585 EDT] 00000051 LdapRegistryI E SECJ0336E: Authentication failed for user pspence@us.ibm.com because of the following exception com.ibm.websphere.security.CustomRegistryException: javax.net.ssl.SSLHandshakeException: certificate signature algorithm is not recognized [7/27/16 14:49:14:586 EDT] 00000051 LTPAServerObj E SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.security.CustomRegistryException: javax.net.ssl.SSLHandshakeException: certificate signature algorithm is not recognized. [7/27/16 14:49:14:587 EDT] 00000051 FormLoginExte E SECJ0118E: Authentication error during authentication for user pspence@us.ibm.com [7/27/16 14:49:23:557 EDT] 00000036 LdapRegistryI A SECJ0418I: Cannot connect to the LDAP server ldap://bluepages.ibm.com:636. [7/27/16 14:49:23:586 EDT] 00000036 LdapRegistryI A SECJ0418I: Cannot connect to the LDAP server ldap://bluepages.ibm.com:636. [7/27/16 14:49:23:621 EDT] 00000036 LdapRegistryI A SECJ0418I: Cannot connect to the LDAP server ldap://bluepages.ibm.com:636. [7/27/16 14:49:23:621 EDT] 00000036 LdapRegistryI E SECJ0352E: Could not get the users matching the pattern dmacnutt@us.ibm.com because of the following exception javax.naming.CommunicationException: anonymous bind failed: bluepages.ibm.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: certificate signature algorithm is not recognized] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:189) Note that I've verified trust stores are accurate |
2 answers
I did most of those things, but did not do any FIPS business anywhere in WebSphere or the ssl.client.props bluepages has been tls 1.2 enabled for a while now.
You're probably going to have to disable security in WebSphere " the hard way "(*) to make corrections in its config. I'm assuming you also use LDAP for console access.... Does your NodeDefaultTruststore have the signer for the bluepages certificate. It has fingerprint D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A (*) edit the security.xml changing the first instance of enabled="true" to enabled="false" You might have to kill -15 on the websphere process ( assuming an *ix server .... ) |
Hi Jim, I think the issue is that your LDAP provider is not supporting TLSv1.2 encryption. Have a lock here:
I tried the same for a CLM deployment on WAS without luck.
I think the intension of WAS developer is that all communication needs to be encrypted with TLSv1.2. Otherwise it’s useless? Especially the LDAP connection should be not the point of failure.
When you have a Linux box run sslscan like this
If you don’t see TLSv1.2 in the output it’s not configured. Alternatively ask the operator of the server. Hope this helps. Comments
Kevin Ramer
commented Jul 29 '16, 8:06 a.m.
openssl s_client -connect confirms that TLS 1.2 is available on bluepages.ibm.com
Torsten Tuchscheerer
commented Jul 29 '16, 8:29 a.m.
Is JCE deployed in the WAS JRE? Without it's also not working.
|
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.