It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Guidelines | FAQ
Follow this question
Question details

×6,113
×88

question asked: Oct 05 '23, 1:02 a.m.
question was seen: 1,335 times
last updated: Oct 09 '23, 5:53 p.m.

Related questions

LDAPS configuration help with ELM 7.0.2 for DOORS NEXT

0
John Servo (111) | asked Oct 05 '23, 1:02 a.m.
edited Oct 05 '23, 1:11 a.m.

Hello, i've been really struggling with trying to get ldaps to authenticate so we can use AD SSO with our rm server running on windows 2019 on liberty


Currently I imported the client certificate using ikeyman tool. When I view the p12 file using the ikeyman app, under personal certificates, I can see my host cert that was signed by the CA, and when i go to the signer certificates section I can see the intermediate CA and Root CA certificates as well.

Next I changed the server.xml to the following:

<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" sslProtocol="TLSv1.2" trustDefaultCerts="true"
 enabledCiphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"/>
<keyStore id="defaultKeyStore" location="server.domain.co.us" type="PKCS12" password="{xor}[omitted]"/>

And I enabled the ldapuserregistry which looks like this:

 <featureManager>
        <feature>ldapRegistry-3.0</feature>
    </featureManager>

    <!-- Sample LDAP user registry configuration
     -->
    <ldapRegistry baseDN="OU=Company,DC=core,DC=company,DC=co,DC=us" bindDN="username-omitted" bindPassword="{aes}AL+omitted==" host="ldaps.company.co.us" id="ldaps.company.co.us:636" ignoreCase="false" ldapType="Microsoft Active Directory" port="636" realm="ldapse.company.co.jp:636" recursiveSearch="true" referal="follow" sslEnabled="true">  
        <idsFilters groupFilter="(&amp;(cn=%v)(|(objectclass=groupOfNames)(objectclass=posixGroup)))" groupIdMap=":cn" groupMemberIdMap="ibm-allGroups:member;ibm-allGroups:uniqueMember" userFilter="(&amp;(uid=%v)(objectclass=inetOrgPerson))" userIdMap=":uid">
        </idsFilters>
    <activedFilters groupIdMap=":cn" groupMemberIdMap=":member" userIdMap="*:sAMAccountName"/>
    </ldapRegistry>

But i am getting an error like so when trying to log into the jazz admin portal:

[ERROR   ] com.ibm.wsspi.security.wim.exception.WIMSystemException: CWIML4520E: The LDAP operation could not be completed. The LDAP naming exception javax.naming.NamingException: LDAP response read timed out, timeout used:60000ms. occurred during processing.
                                                                                                               com.ibm.wsspi.security.wim.exception.WIMException: com.ibm.wsspi.security.wim.exception.WIMSystemException: CWIML4520E: The LDAP operation could not be completed. The LDAP naming exception javax.naming.NamingException: LDAP response read timed out, timeout used:60000ms. occurred during processing.
        at com.ibm.ws.security.wim.ProfileManager.loginImpl(ProfileManager.java:1823)
        at [internal classes]
        at com.ibm.team.repository.server.servletbridge.LoginFilter.doFilter(LoginFilter.java:69)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:201)
        at [internal classes]
Caused by: com.ibm.wsspi.security.wim.exception.WIMSystemException: CWIML4520E: The LDAP operation could not be completed. The LDAP naming exception javax.naming.NamingException: LDAP response read timed out, timeout used:60000ms. occurred during processing.
        at com.ibm.ws.security.wim.adapter.ldap.context.ContextManager.getDirContext(ContextManager.java:750)
        ... 4 more
Caused by: javax.naming.NamingException: LDAP response read timed out, timeout used:60000ms.
        at com.sun.jndi.ldap.Connection.readReply(Connection.java:491)
        at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:377)
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:226)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2803)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:331)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:237)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:201)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:255)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:166)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:96)
        at org.apache.aries.jndi.ContextHelper.getInitialContextUsingBuilder(ContextHelper.java:199)
        ... 4 more

[AUDIT   ] CWWKS1100A: Authentication did not succeed for user ID username.omitted An invalid user ID or password was specified.

NOTES
I am running windows 2019 and jre20 with wsl as well for testing ldapsearch.
Once thing when i use ldapsearch to auth to the ldaps server on another linux machine I am able to do it fine, but when I try to run the same ldapsearch query in my elm server using WSL I get:

Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldaps.company.co.us:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying [ip address]:636 
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
TLS: peer cert untrusted or revoked (0x42)
TLS: can't connect: (unknown error code).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

However if i disable TLS/SSL cert check from ldap.conf, via "TLS_REQCERT never"  it will be successful in authenticating with my username and password

Is there a way to disable certificate checking in ELM as well to see if i can log in?? Or am i doing something else wrong?

I'd be really grateful for some assistance getting this working. thanks!

4 answers

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
Ralph Schoon (63.5k33646) | answered Oct 05 '23, 3:17 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

 This is a forum and not a support channel. You might want to open a case with support.

Please try to check the LDAP parameters using http://www.ibm.com/support/docview.wss?uid=swg21445366 .


There is not enough information in the question, but in my experience, you need to get the LDAP connection right and you can not disable features such as TLS. 

0
permanent link
John Servo (111) | answered Oct 05 '23, 3:29 a.m.
edited Oct 05 '23, 3:36 a.m.

 Hi thanks for the response.

I previously tried to talk to support and they could not answer my question so they redirected me here........

Also, i tried verifying parameters with apache directory and all seemed okay so far. In the admin panel in jazz teamserver (getting in with basicuserregistry) i am able to import users from AD which is odd because when i enable ldapregistry it fails as shown above

What information am i missing here?

Thanks

Comments
Ralph Schoon commented Oct 05 '23, 3:50 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

I am sorry, but it is absolutely impossible to follow your question. The data displayed does not make sense. It is unclear what you do and where you try to login. 

 LDAP response read timed out, timeout used:60000ms.

means that you do not get anything back from LDAP. This does not translate to TLS errors. I do not know where JRE 20 comes into the image, but the Jazz products do not support that version of Java.

You can ask here, but this is a forum and there is no way to interchange log files etc, which would be the minimum requirement here.  

John Servo commented Oct 05 '23, 4:38 a.m.

Hi thanks for your answer,
What is the current supported version of Java for  RMS DOORS NEXT 7.0.2? I'm having trouble finding that info.
0
permanent link
Ralph Schoon (63.5k33646) | answered Oct 05 '23, 6:31 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

 All Jazz products ship with their own IBM Java. The system requirements can be found on the download page for the version on the "Getting S

0
permanent link
Davyd Norris (2.8k217) | answered Oct 05 '23, 10:40 p.m.
I think your problem lies in the fact that your LDAP server certificate is untrusted.

TLS: peer cert untrusted or revoked (0x42)

and the fact you can get LDAPS working with an alternate system when you explicitly tell it to ignore the cert check (a bad idea in production systems)

Based on this, it looks like your LDAP server has been set up with a self signed or internally signed SSL certificate. If this is the case then you will need to add the root certificate authority to the trusted CA list in your ELM server. See this:
Comments
John Servo commented Oct 09 '23, 4:22 a.m. | edited Oct 09 '23, 4:25 a.m.

hi thanks for your answer.

I was able to authenticate with ldapsearch using the rootca.pem file i got from my ldaps server.

So now I added the same rootca.pem from the ldaps server using the ikeyman tool (im on windows) to the signers certificate section of the  keystore that i referenced in server.xml :

<keyStore id="defaultKeyStore" location="certificate.p12" type="PKCS12" password= ... />

however this keystore also contains the certs from my internal CA that were issued for SSL. Should i create another keystore for the root CA of the ldaps server im trying to connect to? But then where do i reference that in the configs?

Am i doing the right thing here? Thanks!

Davyd Norris commented Oct 09 '23, 5:53 p.m.
You must add the root CA for the LDAPS server to the server's trust store, which will have the SSL certificate for the server as well as all the trusted CAs in it. 

Make a backup copy of the existing store first so you can go back if you need to, but follow the directions in the link above and it should work.

I have found that sometimes I also need to add the same CA to the trusted CAs list of the JRE or JDK itself - normally found in <jre>/lib/security/cacerts

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.