Problem
After upgrading CA SSO policy server to 12.52SP2 , it's no more able to establish a secure connection to LDAP.
The older version of CA SSO (12.52SP1) is able to establish the secure connection to LDAP just fine.
smps.log shows :
[2700/3456][Thu Jan 05 2017 15:35:55][SmDsLdapConnMgr.cpp:788][WARNING][sm-Ldap-02910] SSLv3 client protocol is disabled. If connection fails configure LDAP server to support TLS protocols.
[2700/3456][Thu Jan 05 2017 15:35:55][SmDsLdapConnMgr.cpp:950][ERROR][sm-Ldap-01370] SmDsLdapConnMgr Bind. Server ad2k8-01 : 636. Error 81-Can't contact LDAP server
Environment
- Policy Server : R12.52SP2 and above
- Policy Server OS : ANY
- User Store : ANY LDAP
Cause
Starting r12.52 SP2 CA SSO Policy Server, the support for SSLv3 protocol for secure connection to LDAP store is disabled by default.
This change was done to mitigate the SSLv3 Poodle Vulnerability :
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3566
This can be seen in the smps.log as well :
[2700/3456][Thu Jan 05 2017 15:35:55][SmDsLdapConnMgr.cpp:788][WARNING][sm-Ldap-02910] SSLv3 client protocol is disabled. If connection fails configure LDAP server to support TLS protocols.
What this now means is that , Policy Server now uses the TLS protocol instead to establish a secure channel to LDAP store.
The detailed list of TLS protocol supported by different version of CA SSO Policy server is listed here :
https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.TEC2147705.html
So, if the supported TLS protocols are NOT enabled on the LDAP server, Policy server wouldn't be able to establish a secure connection to it.
Resolution
Configure LDAP server to support the TLS protocol supported by the version of CA SSO Policy server as per :
https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.TEC2147705.html
As of r12.52SP2 CR1 (as of this writing) , the Policy server supports only TLSv1.0 and will fail to connect it on any other protocol.
So ensure that TLSv1.0 is enabled on the LDAP Server to resolve this connectivity issue.
For e.g In case of Active Directory you can configure the SSL protocols as per this guide :
https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_TLS10
Testing:
With TLSv1.0 Disabled on Active Directory
1. Screenshot TLSv1.0 Disabled on AD
2. Screenshot SSL Handshake failure on Policy server side
3. Screenshot Admin UI showing connection failure
With TLSv1.0 Enabled on Active Directory
1. Screenshot TLSv1.0 Enabled on AD
2. Screenshot SSL Handshake Successful on Policy server side
3. Screenshot Admin UI showing connection success and retrieving result
Additional Information