IBM Support

Attempt to set an LDAP password fails with the ANR3116E error message

Troubleshooting


Problem

The SET LDAPPASSWORD command is used to configure an IBM Spectrum Protect server that is integrated with a Lightweight Directory Access Protocol (LDAP) server. The command fails with the ANR3116E error message.

Symptom

The following messages are displayed in the activity log of the IBM Spectrum Protect server instance:

ANR3114E LDAP error 116 (Failed to connect to ssl server.) occurred during ldap_start_tls_s_np.
ANR3116E LDAP SSL/TLS error 414 (Bad certificate) occurred during ldap_start_tls_s_np.
ANR3103E Failure occurred while initializing LDAP directory services.
ANR2732E Unable to communicate with the external LDAP directory server.

Cause

The LDAP certificate authority (CA) certificate is missing from the cert.kdb file of the IBM Spectrum Protect server instance.

Environment

The issue occurs in an environment in which the CA certificate is required.

Diagnosing The Problem

Use the gsk8capicmd_64 command to list and view the certificate details. The command and the output are similar to the following example:

$ gsk8capicmd_64 -cert -list -db cert.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
...
!       CA_Cert

$ gsk8capicmd_64 -cert -details -label "CA_Cert" -db cert.kdb -stashed
Label : CA_Cert
Key Size : 2048
Version : X509 V3
Serial : ...

In this example, the CA intermediate certificate was missing.

Resolving The Problem

To resolve the problem, you must import the CA root and intermediate certificates to the cert.kdb file of the IBM Spectrum Protect server instance, and then restart the instance. Complete the following steps:

  1. Download the certificate for the LDAP server by using the openssl command. For example:

    openssl s_client -connect  ldap-host:636 -showcerts -verify_hostname ldap-host

    where ldap-host specifies the fully qualified domain name of the LDAP server.
  2. Copy the output from the command into a file, ca-cert.crt.
  3. Import the certificate to the server instance by using the gsk8capicmd_64 command. For example:

    $ gsk8capicmd_64 -cert -add -db "cert.kdb" -stashed -label "CA_Cert" -format ascii -file ca-cert.crt -trust enable
  4. Validate the certificate by using the gsk8capicmd_64 command. For example:

    $ gsk8capicmd_64 -cert -validate -db cert.kdb -stashed -label CA_Cert
  5. Restart the IBM Spectrum Protect server instance.

[{"Product":{"code":"SSEQVQ","label":"IBM Spectrum Protect"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Server","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
17 June 2018

UID

swg22015854

Page Feedback