I am having an issue trying to add an LDAP realm. The proxySG is running in FIPS mode and it keeps throwing an error "% Unable to use requested ssl-device-profile: Requested setting invalid in FIPS mode". I do not see how the ssl-device-profile is not FIPs compliant. Currently running version ProxySG 18.104.22.168. Any assistance would be greatly appreciated.
I suspect the LDAP server you are trying to connect to is offering or preferring non-FIPS algorithms. Here are some things you can check:- Verify the ciphers configured in the ProxySG ssl-device-profile are available on LDAP server you are connecting to. If the LDAP/S server is not running in FIPS mode, you may have to manually edit its cipher list to make sure the two parties can agree on ciphers.
- Verify the CCL assigned to your ProxySG ssl-device-profile trusts the certificate chain of the LDAP/S server.
If you can't find the problem in these settings, post some more details about your environment so we can look for other possible problems.
I appreciate the response. I'm not even convinced that I am getting to the negotiation. The ProxySG isn't recognizing the certificates uploaded as FIPS compliant. Therefore, the ProxySG isn't allowing me to configure the correct device profile for the LDAPS connection.
Hi Charles,please test this - maybe it will help. It helps me joining my ProxySG with the IWA-Realm, because of an LDAP Problem.Proxy failed to join domain (broadcom.com)
>en#conf t#(config)security windows-domains#(config windows-domains)ldap-ping-protocol tcpBest regards,Klaus
Thank you for the response. I have been able to successfully join the ProxySG to the domain. It's just having issues with connecting to the DC with LDAPS due to the signed certificate reporting as Non-FIPS compliant. I cannot assign the correct device profile for the LDAPS realm because it's saying it's not allowed in FIPS mode. I believe it's not allowed because of the certificate issue. I am 90% the certificate is in-fact FIPS compliant, it's just the ProxySG isn't recognizing the compliance.