Directory Server Issues after Inventory 10.0.4.0 Upgrade

We are experiencing an issue connecting to directory servers following upgrading to Inventory 10.0.4.0. We have performed the upgrade 3 times in two different environments and received the same outcome each time.

In each environment we have a directory server configuration that points to three different domain controllers using SSL. We test the connections prior to the upgrade and everything looks good.

After the upgrade the directory server connections show they need to trust the DC certificates when tested. After checking the trust certifcate checkboxes and saving the configuration (with password for the service account), all connections show “connect error” when tested.

The tema logs start showing these errors whenever the connection is tested (sensitive info redacted):

4/7/21 12:44:20:542 UTC] 00000358 SystemOut                                                    O 2021-04-07 12:44:20 INFO:   Parameters: {"utf8"=>"✓", "directory"=>{"name"=>"Directory Server", "schema_template"=>"microsoft", "global_catalog"=>"1", "user_filter"=>"(&(objectCategory=Person)(|(sAMAccountName=*)(userPrincipalName=*)))", "login_attribute"=>"userPrincipalName", "group_filter"=>"(objectCategory=Group)", "membership_attribute"=>"member", "search_base"=>"DC=<redacted>,DC=<redacted>,DC=com", "ssl"=>"1", "anonymous_bind"=>"0", "username"=>"<redacted>", "password"=>"[FILTERED]", "primary_server_attributes"=>{"host"=>"<redacted>", "port"=>"3269", "id"=>"1"}, "backup_servers_attributes"=>{"0"=>{"host"=>"<redacted>", "port"=>"3269", "id"=>"5"}, "1"=>{"host"=>"<redacted>", "port"=>"3269", "id"=>"6"}}}, "id"=>"1"}

[4/7/21 12:44:20:760 UTC] 00000358 SystemOut                                                    O 2021-04-07 12:44:20 ERROR: Invalid custom truststore path 

[4/7/21 12:44:20:932 UTC] 00000358 SystemOut                                                    O 2021-04-07 12:44:20 ERROR: Invalid custom truststore path 

[4/7/21 12:44:20:948 UTC] 00000358 SystemOut                                                    O 2021-04-07 12:44:20 ERROR: Invalid custom truststore path 

[4/7/21 12:44:20:995 UTC] 00000358 SystemOut                                                    O 2021-04-07 12:44:20 ERROR: Invalid custom truststore path 

[4/7/21 12:44:21:088 UTC] 00000358 SystemOut                                                    O 2021-04-07 12:44:21 WARN: An error occurred while attempting to connect to server <redacted>:3269:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server <redacted>:3269:  SSLException(Connection reset), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))

[4/7/21 12:44:21:088 UTC] 00000358 SystemOut                                                    O 2021-04-07 12:44:21 INFO: Errors from LDAP Server, e.resultCode.name=connect error

The tema log does show that the truststore is loaded successfully:

[4/7/21 12:54:37:795 UTC] 0000001a com.ibm.ws.ssl.config.WSKeyStore I Successfully loaded default keystore: D:/Program Files/ibm/BFI/wlp/usr/servers/server1/resources/security/key_server.jceks of type: JCEKS

No changes have been made to the domain controllers. We do not have a custom truststore. We have tried creating new directory server configs, creating custom truststores, adding a full path to the truststore in the server.xml file where it previously just specified “key_server.jceks” and just plain restarting the server just to see if there was a simple way around this issue, but nothing has worked so far.

Anyone else seeing this issue?

2 Likes

I saw a similar LDAP login failure after upgrading to 10.0.4.0. The test of the LDAP configuration also failed. When unchecked SSL, it worked.

cstoneba, that matches our experience as well. Directory Server connection works if SSL is off. That combined with the tema log messages makes me think that the JRE upgrade as part of the 10.0.4.0 upgrade messed with the expected way of interacting with the truststore.

Please open a case with HCL BFI support so that a defect can be opened if needed.

Same issue here. Did anyone report to HCL?

We got this from HCL:

We have identified the root cause of the LDAP issue as follows:
There were multiple changes in the Java shipped in BFI v10.0.4, including support for TLS 1.3 and certificate handling. These settings are disabling the use of TLS 1.3 (enforcing only 1.2) for LDAP.
For overrideDefaultCSName explanation see https://www.ibm.com/docs/en/sdk-java-technology/8?topic=suites-cipher

To resolve the issue, please perform the following steps:

  1. Stop BFI Server
  2. Edit the …/server1/jvm.options file, and add the following settings at the end of file:
    -Dcom.ibm.jsse2.overrideDefaultCSName=true
    -Dcom.unboundid.util.SSLUtil.defaultSSLProtocol=TLSV1.2
    -Dcom.unboundid.util.SSLUtil.enabledSSLProtocols=TLSV1.2
  3. Start the BFI Server
  4. Go to Management -> Directory Server page in BFI UI. Enter the password and test the connection (verify successful).
  5. Then, log off and verify you are able to log back in with an LDAP/AD user.

We did this in our environment and it fixed the issue. We did have another issue afterwards where the web certificate we were used started reporting as revoked, but that was apparently a problem with the certificate as we replaced the certificate and did not have an issue with the new one.

5 Likes

+1 same problem
+1 same symptoms
+1 same solution

Thanks!

2 Likes