AnsweredAssumed Answered

Test authentication source on port 636

Question asked by Riddhish Chakraborty Employee on Mar 5, 2020
Latest reply on Mar 5, 2020 by Ian Staines

Env:
Version 7.1.0.169009 P09_HF02
Application Server Name: JBOSS
Appliance: false
Soft Appliance: true
Database: DB_LOCAL

 

Customer wants to configure the authentication source on port 636. The customer has set the authentication source on port 389, and we tested with the customer's credentials which work fine. Customer also added that the test on port 636 work fine but they cant login to the authentication source (screenshot attached).


The test was performed 2/27 and the aveksaServer.log shows the following errors:

 

AveksaServer.log:

02/27/2020 10:53:05.702 INFO (Thread-136) [com.aveksa.server.authentication.AuthenticationProviderServiceImpl] Successfully created login module for security domain :<>
02/27/2020 10:53:05.734 INFO (Thread-135) [com.aveksa.server.authentication.AuthenticationProviderServiceImpl] Successfully created login module for security domain :<>
02/27/2020 10:57:27.008 INFO (default task-17) [com.aveksa.gui.core.ACMLoginLogout] Login failure
javax.security.auth.login.LoginException: Connection could not be established with the directory server with username: CN=<  >,OU=<  >,OU=<  >,DC=<>,DC=company,DC=com
at com.aveksa.server.authentication.AveksaJndiLoginModule.connect(AveksaJndiLoginModule.java:704)
at com.aveksa.server.authentication.AveksaJndiLoginModule.authenticate(AveksaJndiLoginModule.java:368)
at com.aveksa.server.authentication.AveksaJndiLoginModule.login(AveksaJndiLoginModule.java:274)

 

This error is repeated multiple times in the log on 2/27.


These are the steps I sent to the customer (after testing in the lab):


1.The user id used for the test is sioned and the connection url is set to ldaps://< ip address>:636

I confirmed the information from the command line using ldapsearch command:


ldapsearch -v -h 2k8r2-dc1.2k8r2-vcloud.local -p 389 -D administrator@2k8r2-vcloud.local<mailto:administrator@2k8r2-vcloud.local> -w Aveksa123 -z 1 -b 'ou=us,ou=vcloud users,dc=2k8r2-vcloud,dc=local' '(sAMAccountName=Sioned)'


The output:

dap_open( 2k8r2-dc1.2k8r2-vcloud.local, 389 ) filter pattern: (sAMAccountName=Sioned)

returning: ALL

filter is: ((sAMAccountName=Sioned))

CN=Aabel\, Franz,OU=US,OU=vcloud Users,DC=2k8r2-vcloud,DC=local

I used the above information to setup the authentication source to connect to port 636.


2. Next, I used the openssl command:

openssl s_client -showcerts -connect <Ip address>:636

(Ip adress of the active directory server).

The above command shows the certificate being used by the active directory.

 

3. I created a file ldap.cer and copied the certificate to the file created.

4. Next, we add the certificate to the keystore:

Location to import the certificate:


/usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre/lib/security

 

5. We run the keytool command:

keytool -import -v -trustcacerts -alias ad -file add.cer -keystore /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre/lib/security/cacerts.

6. Once the certificate gets imported we would suggest you to test the authentication source in a dev or test environment before implementing the same in production.


Customer tested the first step and it fails:

 

openssl s_client -showcerts -connect ldaps://< domain >:636/dc=<>,dc=company,dc=com

getaddrinfo: Servname not supported for ai_socktype
connect:errno=2

 

We removed the domain component and tested, we still get the error. Customer has not imported the certificate yet.

 

Please advise and let me know if this is an issue with certificate and also with the SAN attribute of the SSL certificate

 

-Riddhish

Attachments

Outcomes