ValueOps ConnectALL Product Community

 View Only

Tech Tip - CA Single Sign-On: Error 81 against AdvAuthExternalLDAPDir user directory

By wonsa03 posted Aug 11, 2016 02:02 AM

  

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 11th August 2016

 

Introduction:

Administrative UI/ application server is installed with an embedded certificate database.

 

To configure external administrator store connection over SSL, we have to add the Root Certificate Authority to the Administrative UI/ application server’s certificate database.

With the bundled JBOSS, the trust store resides under <adminui>\server\default\conf\ directory. Run the following command to add the Root Certificate Authority to Administrative UI certificate database:

keytool.exe -importcert -trustcacerts -alias <alias> -file <CACertificate> -keystore trustStore.jks -storepass <truststore_password> -v

 

Question:

After the external administrator store connection over SSL is configured successfully, following error is constantly getting logged in the Policy Server log:

[ERROR]SmDsLdapConnMgr Bind. Server host.domain.com : 636. Error 81-Can't contact LDAPserver

 

Environment:

Policy Server R12.52 SP1 release onward.

 

Answer:

Following policy objects are created automatically once external administrator store configuration is completed successfully:

  • AdvAuthExternalRDBDir /AdvAuthExternalLDAPDir – depending if the external admin store is on LDAP or ODBC repository
  • AdvAuthNAuthZDomain
  • AdvAuthNAuthZRealm – protected resource = “/sampleresource.html
  • AdvAuthNAuthZAgent
  • AdvAuthNAuthZQueryScheme

 

‘AdvAuthExternalLDAPDir’ user directory is created with details gathered during the external administrator store configuration. When SSL is enabled for the external admin store, we need to manually import the Root Certificate Authority and Server certificates to Policy Server’s certificate database, after 'AdvAuthExternalLDAPDir' user directory is created. If this manual step is not done, Policy Server will not be able to connect to the backed LDAP user directory over SSL and log the LDAP error.

 

Additional Information:

Details in adding the certificates, please refer to the following link:

https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?1905764.html

0 comments
1 view