Highlighted
Absent Member.
Absent Member.
1708 views

LDAP SSL certificate error

Jump to solution

Hi!

We use an Ubuntu OpenLDAP server with a SSL cerfiticate for authentication with HPSM 9.40 and Connect-It 9.53 running on Windows 2008 Server. This has been working so far, but because of LDAP server upgrade we have to change the certificate.

I have done this before, but this time I can't make the new certificate work. The LDAP server gives the response "TLS negotiation failure", indicating that the issue is certificate related.

The only difference I can find between the old and the new certificate (apart from new host names and certificate code) is change of the encryption algorithm:

$ diff <(openssl x509 -text <old-cert | grep Encrypt) <(openssl x509 -text <new-cert | grep Encrypt) | grep '^[<>]'

< Signature Algorithm: sha1WithRSAEncryption
> Signature Algorithm: sha256WithRSAEncryption
< Signature Algorithm: sha1WithRSAEncryption
> Signature Algorithm: sha256WithRSAEncryption

Other applications we have are working fine with the new certificate and new LDAP server. Therefore I suspect that our HPSM and Connect-It versions doesn't support certificates using SHA256 encryption. Getting a new certifiate using SHA1 isn't an option, so I'm kind of stuck.

Could anyone point me to a way forward?

Will upgrading HPSM and Connect-It to the latest version available solve the problem? (I haven't been able to locate the release notes for these).

 

Tags (3)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Absent Member.
Absent Member.

Re: LDAP SSL certificate error

Jump to solution

Thank you for answering. I have been on leave after posting this, therefore my answer is significantly delayed.

As I said, we are not using Active Directory for neither authentication nor certificate store, so your answer didn't help my case.

However, together with our company's "certificate guy" I found the solution, which was to include just the Root CA in the certificate file. This worked both for HPSM app server authentication, and for Connect-It setup for scenarios using LDAPS.

View solution in original post

0 Likes
2 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: LDAP SSL certificate error

Jump to solution

Hello Leiv,

Troubleshooting LDAP over SSL connection problems
 
Step 1
 
Make sure that the Server Authentication certificate that you use meets the following requirements:
  • The Active Directory fully qualified domain name of the domain controller appears in one of the following locations:
    • The common name (CN) in the Subject field
    • The Subject Alternative Name (SAN) extension in the DNS entry
  • The enhanced key usage extension includes the Server Authentication object identifier (1.3.6.1.5.5.7.3.1).
  • The associated private key is available on the domain controller. To verify that the key is available, use the certutil -verifykeys command.
  • The certificate chain is valid on the client computer. To determine whether the certificate is valid, follow these steps:
    1. On the domain controller, use the Certificates snap-in to export the SSL certificate to a file that is named Serverssl.cer.
    2. Copy the Serverssl.cer file to the client computer.
    3. On the client computer, open a Command Prompt window.
    4. At the command prompt, type the following command to send the command output to a file that is named Output.txt:
certutil -v -urlfetch -verify serverssl.cer > output.txt
 
Step 2: Verify the Client Authentication certificate

In some cases, LDAPS uses a Client Authentication certificate if it is available on the client computer. If such a certificate is available, make sure that the certificate meets the following requirements:

  • The enhanced key usage extension includes the Client Authentication object identifier (1.3.6.1.5.5.7.3.2).
  • The associated private key is available on the client computer. To verify that the key is available, use the certutil -verifykeys command.
  • The certificate chain is valid on the domain controller. To determine whether the certificate is valid, follow these steps:
    1. On the client computer, use the Certificates snap-in to export the SSL certificate to a file that is named Clientssl.cer.
    2. Copy the Clientssl.cer file to the server.
    3. On the server, open a Command Prompt window.
    4. At the command prompt, type the following command to send the command output to a file that is named Outputclient.txt:
certutil -v -urlfetch -verify serverssl.cer > outputclient.txt
    1. Open the Outputclient.txt file, and then search for errors.
Step 3: Check for multiple SSL certificates

Determine whether multiple SSL certificates meet the requirements that are described in step 1. Schannel (the Microsoft SSL provider) selects the first valid certificate that Schannel finds in the Local Computer store. If multiple valid certificates are available in the Local Computer store, Schannel may not select the correct certificate. A conflict with a certification authority (CA) certificate may occur if the CA is installed on a domain controller that you are trying to access through LDAPS.

Step 4: Verify the LDAPS connection on the server

Use the Ldp.exe tool on the domain controller to try to connect to the server by using port 636. If you cannot connect to the server by using port 636, see the errors that Ldp.exe generates. Also, view the Event Viewer logs to find errors.

Step 5: Enable Schannel logging

Enable Schannel event logging on the server and on the client computer.

', 'file:/c:/Program Files/Peregrine Systems/ServiceCenter 6.2/Client/plugins/com.peregrine.eclipse.thirdparty_6.2.8.3/FCKeditor/', 'file:/c:/Program Files/Peregrine Systems/ServiceCenter 6.2/Client/plugins/com.peregrine.commons_6.2.8.3/htmlEditor/editorconfig.js', 'file:/c:/Program Files/Peregrine Systems/ServiceCenter 6.2/Client/plugins/com.peregrine.eclipse.user_6.2.8.3/htmleditor/plugins/', 'SCAdvanced', 'en', '1155', '1156', '1157', '', '')
 
make reference:
 
also please check the LDAP best practices:
 
 
Carlos Villalobos R
Customer Support Engineer
If you find that this or any other post resolves your issue, please be sure to mark it as an accepted solution.
If you are satisfied with anyone’s response please remember to give them a KUDOS by clicking on the STAR at the bottom left of the post and show your appreciation.
Highlighted
Absent Member.
Absent Member.

Re: LDAP SSL certificate error

Jump to solution

Thank you for answering. I have been on leave after posting this, therefore my answer is significantly delayed.

As I said, we are not using Active Directory for neither authentication nor certificate store, so your answer didn't help my case.

However, together with our company's "certificate guy" I found the solution, which was to include just the Root CA in the certificate file. This worked both for HPSM app server authentication, and for Connect-It setup for scenarios using LDAPS.

View solution in original post

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.