IBM Support

IT29846: ACE ADMIN REST API INVOCATIONS FAIL AUTHENTICATION WHEN USING LDAPS SERVER

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • When using a secure LDAP server that uses intermediate
certificates or uses a custom enterprise Root CA, authentication
will fail. A service trace will show

"Failed when validating user: USER. Error: Error: unable to get
local issuer certificate"

The caPath property from the server.conf.yaml or node.conf.yaml
file is ignored for LDAPS connections leading to certificate
validation errors.

Local fix

  • Setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED=0
will disable all TLS certificate validation in the Admin REST
API and Web UI and as such should not be used in a production
system but can be set as a temporary workaround on development
systems.

Problem summary

  • ****************************************************************
USERS AFFECTED:
All users of IBM App Connect Enterprise v11 who use LDAP
authentication and connect to a secure LDAP server using LDAPS
where the remote server's certificate is signed by a certificate
chain that is absent from the host system certificate store for
the Integration Node or Integration Server.


Platforms affected:
MultiPlatform

****************************************************************
PROBLEM DESCRIPTION:
When using a secure LDAP server that uses intermediate
certificates or uses a custom enterprise Root CA, authentication
will fail. A service trace will show

"Failed when validating user: USER. Error: Error: unable to get
local issuer certificate"

The caPath property from the server.conf.yaml or node.conf.yaml
file is ignored for LDAPS connections leading to certificate
validation errors.	

Problem conclusion

  • The configuration YAML property "caPath" is now correctly
searched by the LDAP authentication system to pick up additional
certificates to validate the remote server. The caPath property
must be a full path to a directory on the system which contains
plaintext certificate files that complete the chain of trust for
the LDAPS server's certificate.

---------------------------------------------------------------
The fix is targeted for delivery in the following PTFs:

Version    Maintenance Level
v11.0      11.0.0.6

The latest available maintenance can be obtained from:
http://www-01.ibm.com/support/docview.wss?rs=849&uid=swg27006041

If the maintenance level is not yet available,information on
its planned availability can be found on:
http://www-1.ibm.com/support/docview.wss?rs=849&uid=swg27006308
---------------------------------------------------------------

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT29846
    • 

  • Reported component name
    APP CONNECT ENT
    • 

  • Reported component ID
    5724J0550
    • 

  • Reported release
    B00
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2019-07-26
    • 

  • Closed date
    2020-01-03
    • 

  • Last modified date
    2020-01-03
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    APP CONNECT ENT
    • 

  • Fixed component ID
    5724J0550
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSDR5J","label":"IBM App Connect Enterprise"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"B00","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            03 January 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback