IBM Support

IT36977: WEBADMIN LDAP INTEGRATION FAILURE, WHEN USING SECURED LDAP ENDPOINT, DUE TO SERVER CERTIFICATE IDENTITY CHECK.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • While connecting to a ldap server over TLS, the default behavior
    is to verify if the LDAP server hostname matches its
    certificate's subject name or subject alternate name. If it
    doesn't match, then the handshake fails.
    
    
    
    Users may want an option to skip the hostname verification
    check when using ldaps endpoint in ldapUrl or  ldapAuthorizeUrl
    property.
    
    
    A new property named ldapCheckServerIdentity is introduced in
    node.conf.yaml(server.conf.yaml for stand-alone integration
    servers) that can be configured to false to disable the hostname
    verification of ldap server used for webadmin security.
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    All Users of IBM App Connect Enterprise V11 having
    administration security enabled with a secured LDAP server.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    While connecting to a LDAP server over TLS, to validate a web
    user trying to login,  the default behavior is to verify if the
    LDAP server hostname matches its certificate's subject name or
    subject alternate name. If it does not match, then the handshake
    fails.
    
    Users may want an option to skip the hostname verification check
    when using ldap endpoint in ldapUrl or  ldapAuthorizeUrl
    property.
    

Problem conclusion

  • A new property named ldapCheckServerIdentity is introduced in
    node.conf.yaml(server.conf.yaml for stand-alone integration
    servers) that can be configured to 'false' to disable the
    hostname verification of LDAP server used for webadmin security.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v11.0      11.0.0.13
    
    The latest available maintenance can be obtained from:
    http://www-01.ibm.com/support/docview.wss?rs=849&uid=swg27006041
    
    If the maintenance level is not yet available,information on
    its planned availability can be found on:
    http://www-1.ibm.com/support/docview.wss?rs=849&uid=swg27006308
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT36977

  • Reported component name

    APP CONNECT ENT

  • Reported component ID

    5724J0550

  • Reported release

    B00

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-05-20

  • Closed date

    2021-06-04

  • Last modified date

    2021-09-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    APP CONNECT ENT

  • Fixed component ID

    5724J0550

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSDR5J","label":"IBM App Connect Enterprise"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"B00"}]

Document Information

Modified date:
17 September 2021