IBM Support

External user authentication to secure LDAP server over TLS1.2 failing?

Technical Blog Post


Abstract

External user authentication to secure LDAP server over TLS1.2 failing?

Body

Here is product documentation to configure authentication policies for External Authentication over LDAP. As you see, one can define secure (ve non-secure) authenitication_policy just by adding (or not adding) authentication_policy.authentication_#.security_protocol=ssl. But please note by adding this property security_protocol would ensure particular policy to perform SSL communication over TLS1.0. It is true even in latest (as of date) SB2Bi 5.2.6.3 FP  version.

But what if LDAP server is forcing TLS1.2 protocol. For obvious reasons since SB2Bi LDAP client attempting connection over TLS1.0, of course connectivity (i.e., SSL/TLS handshake) fails. An exception of following kind is printed in Authentication.log.

 

ERROR LDAPAuthentication LDAP authentication has failed with exception for user: user123
ERROR [1501007062482] simple bind failed: ldaphost.com:636
ERRORDTL [1501007062482]javax.naming.CommunicationException: simple bind failed: ldaphost.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:232)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2754)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:330)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:206)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:224)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:167)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:97)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:696)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:319)
    at javax.naming.InitialContext.init(InitialContext.java:254)
    at javax.naming.InitialContext.<init>(InitialContext.java:228)
    at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:113)
    at com.sterlingcommerce.woodstock.security.LDAPAuthentication.isAuthenticated(LDAPAuthentication.java:123)
    at com.sterlingcommerce.woodstock.security.AuthenticationService.isAuthenticated(AuthenticationService.java:537)
    at com.sterlingcommerce.woodstock.security.SecurityManager.isAuthenticated(SecurityManager.java:523)
    at com.sterlingcommerce.woodstock.security.User.isAuthenticated(User.java:463)
    at com.sterlingcommerce.woodstock.ui.UserAutho.isAuthenticated(UserAutho.java:110)
    at org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
    at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:713)
    at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    at com.ibm.jsse2.qc.a(qc.java:402)
    at com.ibm.jsse2.qc.h(qc.java:275)
    at com.ibm.jsse2.qc.a(qc.java:235)
    at com.ibm.jsse2.e.read(e.java:9)
    at java.io.BufferedInputStream.fill(BufferedInputStream.java:247)
    at java.io.BufferedInputStream.read1(BufferedInputStream.java:287)
    at java.io.BufferedInputStream.read(BufferedInputStream.java:346)
    at com.sun.jndi.ldap.Connection.run(Connection.java:886)
    at java.lang.Thread.run(Thread.java:798)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
    at com.ibm.jsse2.a.a(a.java:228)
    at com.ibm.jsse2.qc.a(qc.java:459)

 

Is it still failing even after configuring security.SSLHelloProtocol property to TLS1.2? Yes it fails, due to fact this property is not meant for LDAP connections.

 

Next, how do you make LDAP Client attempt secure connection over TLS1.2? Answer is It's not possible unless you are running on 5.2.6.2_1 iFix or later. In 5.2.6.2_1, new properties added to authentication_policy.properties to configure TLS version for LDAP connections. You may refer to APAR IT16022


If you are running on SB2Bi 5.2.6.2_1 or later you would see following properties in authentication_policy.properties which otherwise do not exist. Both these have inline documentation.

TLS_VERSION=TLS1.2

authentication_policy.authentication_<number>.enable_custom_socket_factory=true

 

TLS_VERSION allows to configure what version of TLS to be used for LDAP client connections (i.e., External Authenication). Please note this version would not be enforced unless enable_custom_socket_factory is set to true for corresponding policy.


Summary -

ssl enabled authentication policies without enable_custom_socket_factory or with value of false, use TLS1.0

ssl enabled authentication policies with enable_custom_socket_factory=true, use protocol configured in TLS_VERSION

 

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

UID

ibm11120971