This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
fpascal4
New Contributor
New Contributor
‎2021-12-21 09:49 PM

Solving problem with enabling LDAPs on Id Router

I am trying to resolve an issue with enabling SSL/TLS on LDAP to port 636 from our IDR on our DMZ to our internal AD servers. Queries over 389 without SSL/TLS work fine. I have verified it is not a problem with our firewall. I have hosts on the DMZ that talk fine to out AD LDAPs.

The symptom I am seeing is a connection reset immediately after sending the first packet to the AD over LDAPs. The dumped logs only shows the following:

2021-12-22/02:42:06.814/UTC [Status-Monitor-2] DEBUG com.symplified.adapter.userstores.ldap.LdapUserStoreConnectionImpl[86] - Connection to LDAP was unsuccessful
javax.naming.CommunicationException: simple bind failed: asgard.rhinocorps.com:636 [Root exception is javax.net.ssl.SSLException: Connection reset]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2897)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:347)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:225)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:243)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:695)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
at com.symplified.adapter.userstores.ldap.LdapUserStoreConnectionImpl.createInitialDirContext(LdapUserStoreConnectionImpl.java:157)
at com.symplified.adapter.userstores.ldap.LdapUserStoreConnectionImpl.init(LdapUserStoreConnectionImpl.java:84)
at com.symplified.adapter.userstores.ldap.LdapUserStoreService.checkoutConnection(LdapUserStoreService.java:1134)
at com.symplified.adapter.userstores.ldap.LdapUserStoreService.checkoutConnection(LdapUserStoreService.java:1095)
at com.symplified.adapter.userstores.ldap.LdapUserStoreService.getUserByAttributes(LdapUserStoreService.java:2067)
at com.symplified.service.shared.virtualuserstore.VirtualUserStoreServiceImpl.testUserStoreConnection(VirtualUserStoreServiceImpl.java:1335)
at com.symplified.service.appliance.status.monitors.IdentitySourceStatusMonitor.lambda$null$0(IdentitySourceStatusMonitor.java:89)
at java.lang.Iterable.forEach(Iterable.java:75)
at com.symplified.service.appliance.status.monitors.IdentitySourceStatusMonitor.lambda$collectStatusMetrics$1(IdentitySourceStatusMonitor.java:88)
at java.util.ArrayList.forEach(ArrayList.java:1259)
at com.symplified.service.appliance.status.monitors.IdentitySourceStatusMonitor.collectStatusMetrics(IdentitySourceStatusMonitor.java:85)
at com.symplified.service.appliance.status.monitors.AbstractStatusMonitor.call(AbstractStatusMonitor.java:123)
at com.symplified.service.appliance.status.monitors.AbstractStatusMonitor.call(AbstractStatusMonitor.java:31)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLException: Connection reset
at sun.security.ssl.Alert.createSSLException(Alert.java:127)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:138)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1383)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1291)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:435)
at sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:804)
at sun.security.ssl.SSLSocketImpl.access$200(SSLSocketImpl.java:73)
at sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1166)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:448)
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:421)
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
... 28 more
Suppressed: java.net.SocketException: Broken pipe (Write failed)
at java.net.SocketOutputStream.socketWrite0(Native Method)
at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:111)
at java.net.SocketOutputStream.write(SocketOutputStream.java:155)
at sun.security.ssl.SSLSocketOutputRecord.encodeAlert(SSLSocketOutputRecord.java:81)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:355)
... 43 more
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:210)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:457)
at sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:165)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:109)
... 40 more

Unfortunately, accessing the IDR via SSH does not help. Not being able to sudo to a shell makes the SSH session nearly useless, and at minimum a pain to use. I appreciate the security, but there should be a way to allow customers to get to a root session to diagnose problems.

On another note, I have tried creating a new Tech Support case and the page consistently shows that it is unavailable. Is this normal?

So far I am unimpressed with the level of support we have received in even installing and configuring the SecurID product. I would really appreciate any help folks can offer in solving this problem. 

 

-Freeman @Rhinocorps, LTD. CO

0 Likes
Reply
1 Reply
MennaElsharkawy
Occasional Contributor Occasional Contributor
Occasional Contributor
‎2022-02-01 10:07 AM

Hi @fpascal4 ,

We can see what's the issue here after you SSH to your IDR, change user to root then run an openssl s_client -connect <ipOfAd>:636 to diagnose where the issue is exactly.

 

As you said you'll need the technical support help to switch to root on the IDR, If you're having issue from the Case Management Portal please feel free to call the Support on the numbers listed below:

 

https://community.rsa.com/t5/support-information/how-to-contact-securid-support/ta-p/638609

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.