Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

After WAS config changes for TLSv1.2, getting can't connect to LDAP server

After following the instructions here to re-configure WAS for TLSv1.2,
https://jazz.net/help-dev/clm/index.jsp?topic=%2Fcom.ibm.jazz.install.doc%2Ftopics%2Ft_enable_tls1.2_was.html

my app server can no longer connect to LDAP - these errors appear and I can't log in anymore

[7/27/16 14:49:14:585 EDT] 00000051 LdapRegistryI E   SECJ0336E: Authentication failed for user pspence@us.ibm.com because of the following exception

com.ibm.websphere.security.CustomRegistryException: javax.net.ssl.SSLHandshakeException: certificate signature algorithm is not recognized

[7/27/16 14:49:14:586 EDT] 00000051 LTPAServerObj E   SECJ0369E: Authentication failed when using LTPA. The exception is com.ibm.websphere.security.CustomRegistryException:

javax.net.ssl.SSLHandshakeException: certificate signature algorithm is not recognized.

[7/27/16 14:49:14:587 EDT] 00000051 FormLoginExte E   SECJ0118E: Authentication error during authentication for user pspence@us.ibm.com

[7/27/16 14:49:23:557 EDT] 00000036 LdapRegistryI A   SECJ0418I: Cannot connect to the LDAP server ldap://bluepages.ibm.com:636.
[7/27/16 14:49:23:586 EDT] 00000036 LdapRegistryI A   SECJ0418I: Cannot connect to the LDAP server ldap://bluepages.ibm.com:636.
[7/27/16 14:49:23:621 EDT] 00000036 LdapRegistryI A   SECJ0418I: Cannot connect to the LDAP server ldap://bluepages.ibm.com:636.
[7/27/16 14:49:23:621 EDT] 00000036 LdapRegistryI E   SECJ0352E: Could not get the users matching the pattern dmacnutt@us.ibm.com because of the following exception

javax.naming.CommunicationException: anonymous bind failed: bluepages.ibm.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: certificate signature algorithm is not

recognized]
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:189)

Note that I've verified trust stores are accurate

0 votes



2 answers

Permanent link
I did most of those things, but did not do any FIPS business anywhere in WebSphere or the ssl.client.props  bluepages has been tls 1.2 enabled for a while now.  

You're probably going to have to disable security in WebSphere " the hard way "(*) to make corrections in its config.  I'm assuming you also use LDAP for console access....

Does your NodeDefaultTruststore have the signer for the bluepages certificate.  It has fingerprint

D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A

(*) edit the security.xml changing the first instance of enabled="true" to enabled="false" 

You might have to kill -15 on the websphere process ( assuming an *ix server .... )



0 votes


Permanent link

Hi Jim,

I think the issue is that your LDAP provider is not supporting TLSv1.2 encryption. Have a lock here:

com.ibm.websphere.security.CustomRegistryException:
javax.net.ssl.SSLHandshakeException: certificate signature algorithm is not
recognized
	
I tried the same for a CLM deployment on WAS without luck.

I think the intension of WAS developer is that all communication needs to be encrypted with TLSv1.2. Otherwise it’s useless? Especially the LDAP connection should be not the point of failure.

When you have a Linux box run sslscan like this

sslscan bluepages.ibm.com:636
	

If you don’t see TLSv1.2 in the output it’s not configured. Alternatively ask the operator of the server.

Hope this helps.

0 votes

Comments

openssl s_client -connect confirms that TLS 1.2 is available on bluepages.ibm.com
....

-----END CERTIFICATE-----
subject=/C=US/ST=New York/L=Armonk/O=International Business Machines Corporation/CN=bluepages.ibm.com
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4267 bytes and written 589 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-SHA
 
Maybe turn on javax.net.debug for ssl might give clues.

http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug

Is JCE deployed in the WAS JRE? Without it's also not working.

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 6,117

Question asked: Jul 28 '16, 1:57 p.m.

Question was seen: 5,631 times

Last updated: Jul 29 '16, 8:29 a.m.

Confirmation Cancel Confirm