Symantec Access Management

 View Only
  • 1.  Enable Secure Connection with LDAP directory

    Posted Mar 13, 2018 11:12 AM

    I am working on enabling  Secure connection between policy server and Oracle Ldap. Oracle LDAP 11.1.1.7 have Disabled SSL support and have enabled TLS 1.x. 

    I am getting following errors:

    [03/13/2018][10:42:42.104][10:42:42][7674][140566360749824][SmDsLdapConnMgr.cpp:1105][CSmDsLdapConnMgr::StartCheck][][][][][][][][][][][][][][][][][][][][][Starting DsServerCheckerThread][][][][][][][][][][][][][][][][][]
    [03/13/2018][10:42:42.106][10:42:42][7674][140563980470016][SmDsLdapConnMgr.cpp:758][][][][][][][][][][][][][][][][][][][][][][LogMessage:WARN:[sm-Ldap-02910] SSLv3 client protocol is disabled. If connection fails configure LDAP server to support TLS protocols.][][][][][][][][][][][][][][][][][]
    [03/13/2018][10:42:42.106][10:42:42][7674][140563980470016][SmLdapPs.cpp:146][SmLdapPs::set_prldap_opt_io_max_timeout][][][][][][][][][][][][][][][][][][][][][PRLDAP_OPT_IO_MAX_TIMEOUT set to 10000 milliseconds][][][][][][][][][][][][][][][][][]
    [03/13/2018][10:42:42.132][10:42:42][7674][140563980470016][SmDsLdapConnMgr.cpp:923][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Ldap-01370] SmDsLdapConnMgr Bind. Server r0000jn10.bnymellon.net : 2389. Error 81-Can't contact LDAP server][][][][][][][][][][][][][][][][][]
    [03/13/2018][10:42:42.251][10:42:42][7674][140565354116864][SmObjCache.cpp:524][CSmObjCache::Cleanup][][][][][][][][][][][][][][][][][][][][][Cleanup the object cache.][][][][][][][][][][][][][][][][][]
    [03/13/2018][10:42:42.857][10:42:42][7674][140563959490304][SmDsLdapConnMgr.cpp:2034][CSmLdapServers::CleanupServers][][][][][][][][][][][][][][][][][][][][][Cleaned up old CSmLdapServers object][][][][][][][][][][][][][][][][][]
    [03/13/2018][10:42:43.105][10:42:43][7674][140566360749824][SmDsDir.cpp:81][CSmDsDir::CSmDsDir][][][][][][][][][][][][][][][][][][][][][Return from call InitDir.][][][][][][][][][][][][][][][][][]
    [03/13/2018][10:42:43.105][10:42:43][7674][140566360749824][SmDsObj.cpp:94][CSmDsObj::IsValid][][][][][][][][][][][][][][][][][][][][][Start of call IsValid.][][][][][][][][][][][][][][][][][]
    [03/13/2018][10:42:43.105][10:42:43][7674][140566360749824][SmDsObj.cpp:96][CSmDsObj::IsValid][][][][][][][][][][][][][0][][][][][][][][Return from call IsValid.][][][][][][][][][][][][][][][][][]
    [03/13/2018][10:42:43.105][10:42:43][7674][140566360749824][SmDsDir.cpp:89][CSmDsDir::~CSmDsDir][][][][][][][][][][][][][][][][][][][Release DS Provider handle.][][Start of call Release.][][][][][][][][][][][][][][][][][]
    [03/13/2018][10:42:43.105][10:42:43][7674][140566360749824][SmDsDir.cpp:91][CSmDsDir::~CSmDsDir][][][][][][][][][][][][][][][][][][][][][Return from call Release.][][][][][][][][][][][][][][][][][]
    [03/13/2018][10:42:43.105][10:42:43][7674][140566360749824][SmEmsCommandV2.cpp:1304][CSmEmsCommand::Execute][][][][][][][][][][][][][2323][][][][][][Dir='00-'. ObjDN='', RealmOid='00-'][][Return from call CSmEmsPolicyApi::Enumerate ][][][][][][][][][][][][][][][][][]
    [03/13/2018][10:42:43.105][10:42:43][7674][140566360749824][SmEmsCommandV2.cpp:2157][CSmEmsCommandV2::Execute][][][][][][][][][][][][][2323][][][][][][][][Leave function CSmEmsCommandV2::Execute][][][][00:00:01.003177][][][][][][][][][][][][][]
    [03/13/2018][10:42:43.105][10:42:43][7674][140566360749824][SmEmsCommandBase.cpp:231][CSmEmsCommandBase::Encode][][][][][][][][][][][][][][][][][][][][][Enter function CSmEmsCommandBase::Encode][][][][][][][][][][][][][][][][][]
    [03/13/2018][10:42:43.105][10:42:43][7674][140566360749824][SmEmsCommandBase.cpp:537][CSmEmsCommandBase::traceResponse][][][][][][][][][][][][2323][][][][][][][<session=CA.XPS::Administrator@xxxxxxx=>
    <command=smenumerate>
    <directory = Sanjay_Ping_UserDirectory_Secure>
    <status=E/0913/-13/Policy API error>
    ][][Processed EMS2 response.][][][][][][][][][][][][][][][][][]

     

    LDAP Admin confirms that TLS is enabled and working.

     

    Besides this I have created the cert.db using certutil and mentioned the same path under "smcosnole". Are there any special requirements on SHA levels for certificate.

     

    Any thoughts what else can be checked from policy server prospective.

     

    Thank You



  • 2.  Re: Enable Secure Connection with LDAP directory



  • 3.  Re: Enable Secure Connection with LDAP directory

    Posted Mar 13, 2018 01:32 PM

    ProductName=CA Single Sign-On Policy Server
    FullVersion=12.70.0.1194
    Location=/web/soft/sm/SiteMinder



  • 4.  Re: Enable Secure Connection with LDAP directory

    Posted Mar 15, 2018 12:10 PM

    Hi Dennis,

     

    The first thing i tried is to check if TLS is working using "ldapsearch".

    $ ldapsearch -ZZ -D "uid=xxxx"" -w xxxx -h ****** -p xxxx -b "o=***" -s base "objectClass=*" -P ./CertDB-127/cert8.db

     

    It worked.

    ldap_simple_bind: Success
    version: 1
    dn: o=***
    objectClass: top
    objectClass: organization
    o: ***

     

    From which i realized that if TLS need to be enabled, please turn off "use Secure Connection" from Wamui "Directory Config".

     

    Please confirm that my observation is true?

     

    Thanks & Regards,

    Sanjay



  • 5.  Re: Enable Secure Connection with LDAP directory

    Posted Mar 15, 2018 01:56 PM

    Sanjay 

     

    I don't think so "if TLS need to be enabled, please turn off 'use Secure Connection' from Wamui Directory Config". We'll still need Secure Connection Checked.

     

    Also ldapsearch worked using cert8.db. I'm assuming we used the ldapsearch shipped with CA SSO Policy Server?

     

    So we are using CA SSO R12.7 and you mentioned TLS 1.x ? What is 'x' here.

     

    Does Policy server supports TLSv1.1/TLSv1.2 protoc - CA Knowledge 
    • R12.0SP3CR12 doesn’t have support for TLS protocol. It supports only SSL.
    • R12.51CR6 onwards , we have support for TLS but only upto TLSv1.0 ( due to some internal limitation we don't support TLSv1.1). However, you can request a NIN for this as we have already certified NSS 3.30.2 libraries for this release (CA only refer: DE300577)
    • R12.52SP1 CR7 onwards we have support for both TLS v1.1 & TLS v1.2
    • R12.52SP2 until CR1 doesn't have support for TLSv 1.1 & TLSV v1.2 (Open support ticket if you need a NIN for this release)
    • R12.6 onwards we have support for both TLS v1.1 & TLS v1.2


  • 6.  Re: Enable Secure Connection with LDAP directory

    Posted Mar 15, 2018 02:00 PM

    Hi,

    Please find my response.

    Also ldapsearch worked using cert8.db. I'm assuming we used the ldapsearch shipped with CA SSO Policy Server?- Yes

    So we are using CA SSO R12.7 and you mentioned TLS 1.x ? What is 'x' here. TLS supported on Oracle LDAP 1.1 and 1.2



  • 7.  Re: Enable Secure Connection with LDAP directory

    Posted Mar 15, 2018 02:04 PM

    Also error is coming from policy server and NOT LDAP server. When "Use Secure Connection is enabled", smps.log shows error "SSLv3 client protocol is disabled. If connection fails configure LDAP server to support TLS protocols". I am not getting this error any more.



  • 8.  Re: Enable Secure Connection with LDAP directory

    Posted Mar 15, 2018 02:05 PM

    Do you have a lab setup which can help to confirm this configuration.

     

    Thanks,



  • 9.  Re: Enable Secure Connection with LDAP directory

    Posted Apr 05, 2018 06:50 AM

    Hi Sanjay,

     

    You may capture a network trace on the Policy Server and see what happens when it tries to connect to the Oracle store, so it can bring more insight on what is the cause of the problem.

     

    Hope it helps



  • 10.  RE: Re: Enable Secure Connection with LDAP directory

    Posted Sep 08, 2022 04:43 PM
    Hello,

    We are trying to enable SSL between policy server and RDS which both were located in AWS.

    What we have done as far now:
    1.  We have added SSL port to DB option group for RDS, so we are able to telnet from policy server to oracle DB using configured port 1234.

    2. Manually enabled SSL port on RDS (1234) and testing the connection from Policy Server in SB2 Ohio following the broadcom guide https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/user-directories/configure-an-oracle-user-directory-connection-over-ssl.html but still not working.

    I have downloaded the AWS RDS CA Cert from https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

    Here, from AWS link I have downloaded the global-bundle.pem file and as per the broadcom documentation the pem should be converted to pkcs12 format and point the policy server certs location in sm.registry in pkcs12 format which I didn't get it.

    Three things I need confirmation:
    1.  cmd I used to convert pem to pkscs12 is : openssl pkcs12 -export -nokeys -in global-bundle.pem -out nagatest.p12 -name "My Certificate"
    Is the above cmd is correct? because I got the output as nagatest.p12 so in sm.registry do I need to mention xxx/certs/nagatest.p12 or create a truststore and point policy server to that location? if trust store then in which format I need to mention?

    2.  cmd I used to create a Truststore: keytool -import -file C:\cascerts\firstCA.cert -alias firstCA -keystore myTrustStore  but using this cmd unable to add pem or p12 or pfx to truststore as its getting error saying it is expecting only X.509 certificate, so want to know the exact cmd to create trust store and which file I need to import into that is it directly pem or converted p12?

    3. I tried to enable ODBC trace using this link: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/troubleshooting/configure-tracing-for-odbc-stores.html

    Added below parameters in system_odbc.ini under ODBC
    TraceFile=nete_ps_root/db/odbctrace.out
    TraceDll=nete_ps_root/odbc/lib/NStrc28.so
    InstallDir=nete_ps_root/odbc

    For the above I have manually created odbctrace.out file under db folder and assigned the permission to that file but still it is not writing anything to that file, so want to know is there anything I need to add or any changes to be made?

    Thanks,
    Naga