florianz1 Absent Member.
Absent Member.
1439 views

Disabling TLS services because of configuration failure ..

hi, i need your help .. 🙂

i am trying to configure my ldap-server(s) to use a dedicated certificate,
created with my own (edirectory) ca. however, i can't get tls up and running
with my own certificate. the default dns-certificate (SSL CertificateDNS) does
the job tough ...

this is the certificate i want to use:

Name Value
Certificate name: myCompany_eDir_LDAPCert
Key size: 2048
Key usage: Key encipherment
Key usage: Digital signature
Key usage extension: Is not critical
Allow export of private key: No
Extended key usage: Server
Extended key usage extension: Is not critical
Subject name: .o=myCompany.CN=myServername.myDomain.local
UTF8 encode names: No
Subject alternative name: IP: 10.252.130.211
Subject alternative name: DNS: mDNSAlias.myDomain.local
Subject alternative name: DNS: myServername.myDomain.local
Signature algorithm: SHA 256-RSA (SHA2)
Effective date: Friday, July 7, 2017 8:48:00 AM CEST
Expiration date: Sunday, July 7, 2019 8:48:00 AM CEST
Trusted Root: Your organization's certificate

the only difference to 'SSL CertificateDNS' is the SAN mDNSAlias.myDomain.local
and 'Server Authentication' as extended use. for testing reasons even tried to
omit both those values. without success.

to excluce a CA misconfiguration i deleted and recreated 'SSL CertificateDNS',
still did work.

In my trace i see the following lines starting the NetIQ SecretStore LDAP
Transport with my custom certificate (interestingly no exception number with
SSL_CTX_use_KMO):

13:53:19 2FC LDAP: LDAP Agent for NetIQ eDirectory 9.0.3 (40005.15) started
13:53:19 2FC LDAP: Updating server configuration
13:53:19 2FC LDAP: Work info status: Total:2 Peak:2 Busy:0
13:53:19 AFC LDAP: Listener applying new configuration
13:53:19 AFC LDAP: LDAPURL: ldap://:389
13:53:19 AFC LDAP: LDAPURL: ldaps://:636
13:53:19 AFC LDAP: Listener setting up cleartext port 389
13:53:19 AFC LDAP: Listener setting up TLS port 636
13:53:19 AFC LDAP: SSLv3 disabled for secure LDAP connections.
13:53:19 AFC LDAP: TLS HIGH ciphers required for TLS connections
13:53:19 AFC LDAP: TLS initialization successfully completed
13:53:19 AFC LDAP: SSL_CTX_use_KMO failed. Error stack:
13:53:19 AFC LDAP: SSL_CTX_use_KMO failed. Error stack:
13:53:19 AFC LDAP: Disabling TLS services because of configuration failure


thanks for your input, florian

Labels (1)
0 Likes
10 Replies
Knowledge Partner
Knowledge Partner

Re: Disabling TLS services because of configuration failure ..

Could you describe, in detail, how you created your Key Material Object
(KMO)? If you created it from another CA, eDirectory or otherwise,
presumably you had to import all of the pieces of the certificate to this
tree and KMO, including the private key. Knowing every single step you
used may be useful to troubleshoot or reproduce the issue.

Also, which eDirectory version are you using, and is this a new install or
an upgrade?

On 07/13/2017 06:14 AM, florianz wrote:
>
> hi, i need your help .. 🙂
>
> i am trying to configure my ldap-server(s) to use a dedicated
> certificate,
> created with my own (edirectory) ca. however, i can't get tls up and
> running
> with my own certificate. the default dns-certificate (SSL
> CertificateDNS) does
> the job tough ...
>
> this is the certificate i want to use:
>
> Name Value
> Certificate name: myCompany_eDir_LDAPCert
> Key size: 2048
> Key usage: Key encipherment
> Key usage: Digital signature
> Key usage extension: Is not critical
> Allow export of private key: No
> Extended key usage: Server
> Extended key usage extension: Is not critical
> Subject name:
> .o=myCompany.CN=myServername.myDomain.local
> UTF8 encode names: No
> Subject alternative name: IP: 10.252.130.211
> Subject alternative name: DNS: mDNSAlias.myDomain.local
> Subject alternative name: DNS: myServername.myDomain.local
> Signature algorithm: SHA 256-RSA (SHA2)
> Effective date: Friday, July 7, 2017 8:48:00 AM CEST
> Expiration date: Sunday, July 7, 2019 8:48:00 AM CEST
> Trusted Root: Your organization's certificate
>
> the only difference to 'SSL CertificateDNS' is the SAN
> mDNSAlias.myDomain.local
> and 'Server Authentication' as extended use. for testing reasons even
> tried to
> omit both those values. without success.
>
> to excluce a CA misconfiguration i deleted and recreated 'SSL
> CertificateDNS',
> still did work.
>
> In my trace i see the following lines starting the NetIQ SecretStore
> LDAP
> Transport with my custom certificate (interestingly no exception number
> with
> SSL_CTX_use_KMO):
>
> 13:53:19 2FC LDAP: LDAP Agent for NetIQ eDirectory 9.0.3 (40005.15)
> started
> 13:53:19 2FC LDAP: Updating server configuration
> 13:53:19 2FC LDAP: Work info status: Total:2 Peak:2 Busy:0
> 13:53:19 AFC LDAP: Listener applying new configuration
> 13:53:19 AFC LDAP: LDAPURL: ldap://:389
> 13:53:19 AFC LDAP: LDAPURL: ldaps://:636
> 13:53:19 AFC LDAP: Listener setting up cleartext port 389
> 13:53:19 AFC LDAP: Listener setting up TLS port 636
> 13:53:19 AFC LDAP: SSLv3 disabled for secure LDAP connections.
> 13:53:19 AFC LDAP: TLS HIGH ciphers required for TLS connections
> 13:53:19 AFC LDAP: TLS initialization successfully completed
> 13:53:19 AFC LDAP: SSL_CTX_use_KMO failed. Error stack:
> 13:53:19 AFC LDAP: SSL_CTX_use_KMO failed. Error stack:
> 13:53:19 AFC LDAP: Disabling TLS services because of configuration
> failure
>
>
> thanks for your input, florian
>
>


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
florianz1 Absent Member.
Absent Member.

Re: Disabling TLS services because of configuration failure

server to configure is running NetIQ eDirectory 9.0.3 (40005.15), the one holding the CA (same tree) has version 8.8.8.2 (20803.05).

doing that through iManager 3.0.3 with the latest pki.npm installed:
------------------------
iManager | NetIQ Certificate Server | Create Server Certificate
------------------------

------------
Create Server Certificate Step 1
------------
Server: <myserverinedirnotation>
Nickname: myCompany_eDir_LDAPCert

Creation Method
Standard
x Custom
Import

------------
Create Server Certificate Step 2
------------
x Organizational certificate authority
External certificate authority

------------
Create Server Certificate Step 3
------------
Select Algorithm:
Key Algorithm type: RSA
Key size: 2048 (bits)

Key type:
Unspecified
Encryption
Signature
x SSL or TLS
Custom

Key usage:
Data encipherment
x Key encipherment
x Digital signature
Certificate signing
CRL signing
Set the key usage extension to critical.
Allow private key to be exported

x Enable extended key usage
Extended key type:
x Server
User
Custom
Any

Extended key usage:
x Server authentication
User authentication
Code signing
E-mail protection
Time stamping
OCSP signing
Encrypted File System
Cert Trust List Signing
Time Stamp Signing
Server Gated Crypto

Set the extended key usage extension to critical.

------------
Create Server Certificate Step 4
------------
Subject name: .o=myCompany.CN=myServername.myDomain.local
Use UTF8 encoding for names

Subject Alternative Names
Type Name
IP <ip>
DNS <san_nr1>
DNS <san_nr2>

Signature algorithm:
SHA-256-RSA (SHA2)

Validity period: 2 years

------------
Create Server Certificate Step 5
------------
x Your organizations's certificate
Novell Root Certifier's certificate

0 Likes
florianz1 Absent Member.
Absent Member.

Re: Disabling TLS services because of configuration failure

and: new installation

0 Likes
Knowledge Partner
Knowledge Partner

Re: Disabling TLS services because of configuration failure ..

Was that all in the other tree, I presume? How did you get it into the
new tree, then, specifically?

To me the steps used here are pretty standard, other than you chose
'Custom' instead of 'Standard', though I am not completely sure which of
the 'Key usage' options may be different from standard. Something like
'Data encipherment' sounds important to me, though.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
florianz1 Absent Member.
Absent Member.

Re: Disabling TLS services because of configuration failure

there is no other tree. i installed new servers into an existing tree. these i want to use not the default certificates for ldap, but a custom certificate.
regarding your point with 'data encipherment' - the default dns certificate does not have this 'key usage' set, tls does not shut down when ldap uses the default certificate.

florian

0 Likes
Knowledge Partner
Knowledge Partner

Re: Disabling TLS services because of configuration failure ..

I thought you said that you were creating a KMO in one tree and using it
in the other, but if not then nevermind.

How about we get an export of the broken and working KMOs to see
differences? Just the PEM/b64 output should be sufficient, and should be
able to be pasted in here directly rather than as attachments, so anybody
can help out.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
florianz1 Absent Member.
Absent Member.

Re: Disabling TLS services because of configuration failure

problem is: the certificate needs to have the option 'make private key exportable' set when created. if not, ldap agent shutds down tls directly after startup, whyever ...

thanks, florian

0 Likes
Knowledge Partner
Knowledge Partner

Re: Disabling TLS services because of configuration failure ..

Does this mean you have identified the workaround/fix? I'm a little
surprised that is required for LDAP to work, but I've seen that as a
requirement for other things to work (IDM I seem to recall).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
florianz1 Absent Member.
Absent Member.

Re: Disabling TLS services because of configuration failure

yes, creating the certificate with the private key exportable allows tls to not get shut down instantly after the ldap agent starts. surprised i am as well, for no apparent reasons comes to mind for ldaps to have that.
i'd be interested in the reason, this is regarded as mandatory, by edirectory ...

anyhow: at least they should make the error clearer. or make ldap work without that.

thanks for your help 🙂

0 Likes
florianz1 Absent Member.
Absent Member.

Re: Disabling TLS services because of configuration failure

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.