Configuring ISM LDAP monitor for SSL

Answer

Here is an example of an LDAP monitor configuraion using SSL.

NOTE: Version 7.4 Fix pack 1 or later is required to implement this method.

In earlier versions, the 'verifycertificate' parameter is not available.

Use ldapsearch to develop the command that will be used by the LDAP monitor.

For example:

[root@nc9053114114 ITM]# ldapsearch -h hulkster -D cn=root -w ***** -b "cn=Bruce Willman,ou=Level2,o=Tivoli,c=us" -s base objectClass=*

# extended LDIF

#

# LDAPv3

# base <cn=Bruce Willman,ou=Level2,o=Tivoli,c=us> with scope baseObject

# filter: objectClass=*

# Bruce Willman, Level2, Tivoli, us

dn: cn=Bruce Willman,ou=Level2,o=Tivoli,c=us

cn: Bruce

cn: Bruce Willman

sn: Willman

# search result

search: 2

result: 0 Success

# numResponses: 2

# numEntries: 1

2. Configure the LDAP element

Start the ISM Configuration GUI, and create an element.

- In the ‘server’ field, enter the host name of the LDAP server (-h parameter)

- In the ‘searchbase’ field, enter the search string (-b parameter)

- In the ‘filter’ field, enter the filter

In the Advanced tab:

- Set the port number that the LDAP server listens on for SSL connections

This value can be found in the LDAP server configuration file, and is 636 in this example.

- Set the ‘username’ and ‘password’ (-D and –w parameters)

- Set ‘authentication type’ to SSL-SIMPLE

- Set ‘verifycertificate’ to Disabled

Set distribution of the profile to an agent, and then save the changes.

The test should show up in the TEP:

Trouble shooting

- Edit <ISM_HOME>/etc/props/ldap.props, and add the line:

MessageLevel : “debug”

- Restart the LDAP monitor:

<ISM_HOME>/bin/ism_startup.sh stop nco_m_ldap

<ISM_HOME>/bin/ism_startup.sh start nco_m_ldap

- Check <ISM_HOME>/log/ldap.log, and there will be tracing:

Tue Jan 5 11:18:21 2016 F57FEB70 Information: Trying connection

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Using OpenLDAP Version 2.4.40

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Using cyrus-sasl Version 2.1.26

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: SSL requested - URI is ldaps://hulkster.tivlab.austin.ibm.com:636/

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Initialisation complete

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Creating SSL context for v2 and v3

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL context established successfully

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: No certificate file

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: No private key file

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL context setup succeeded

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Created New SSL Context 0xCE84D878

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: LDAPv3 selected

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Binding attempt with plaintext or SSL-tunneled plaintext password, ldap_p=-199225272

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Configuring Certificate Verification: Disabled

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL info: cert:[] key:[] pass:[] auth:[0] trust_file:[/opt/IBM/ITM/lx8263/is/certificates/trust.pem] trust_path:[/opt/IBM/ITM/lx8263/is/certificates/]

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Disabling Certificate Verification Using Context=0xCE84D878

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL Disable args SSLV2=1 SSLV3=1, TLS=0

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL disabling SSLv2

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL disabling SSLv3

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL set options = 0x83000BFF

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Using cipher suite: 'AES:3DES:DES:!EXP:!DHE:!EDH'

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Ldap handle on failure was -199225272

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Getting results of bind, timeout is 30, msgid is 1 ...

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Bind status is: 97

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Bind result from ldap_parse_result is: 0 with message type 0

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Async bind results returned from server

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Bind to LDAP server complete

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Attempting search ...

…

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(profile) -> "LDAPMonitor"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(datalogpath) -> "ldaphulkster_tivlab_austin_ibm_com_636_cn_Bruce_Willman_ou_Level2_o_Tivoli_c_us_guicli_1427210814415_6683_720d"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(host) -> "hulkster.tivlab.austin.ibm.com"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(timeout) -> "30"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(pollInterval) -> "300"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(description) -> "LDAP hulkster.tivlab.austin.ibm.com element."

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(failureRetests) -> "0"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(failureRetestInterval) -> "10"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(identchecksum) -> "guicli_1427210814415_6683_720d"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(startTimePoll) -> "1452010701"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(service) -> "LDAP"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(port) -> "636"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(distinguishedName) -> "cn=root"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(searchBase) -> "cn=Bruce Willman,ou=Level2,o=Tivoli,c=us"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(filter) -> "objectclass=*"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(authentication) -> "SSL-SIMPLE"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(initTime) -> "0.00040"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(message) -> "Search successful"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(connectTime) -> "0.01242"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(dnMatched) -> "cn=Bruce Willman,ou=Level2,o=Tivoli,c=us"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(objectClass) -> "top"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(objectClass2) -> "person"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(objectClass3) -> "organizationalPerson"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(objectClass4) -> "inetOrgPerson"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(objectClass5) -> "ePerson"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(cn) -> "Bruce"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(cn2) -> "Bruce Willman"