IBM Support

Configuring ISM LDAP monitor for SSL

Question & Answer


Question

How can the LDAP monitor be configured to connect to an LDAP server using a secure socket?

Answer

Here is an example of an LDAP monitor configuraion using SSL.

NOTE: Version 7.4 Fix pack 1 or later is required to implement this method.

In earlier versions, the 'verifycertificate' parameter is not available.


1. Develop a working search

Use ldapsearch to develop the command that will be used by the LDAP monitor.

For example:

[root@nc9053114114 ITM]# ldapsearch -h hulkster -D cn=root -w ***** -b "cn=Bruce Willman,ou=Level2,o=Tivoli,c=us" -s base objectClass=*

# extended LDIF

#

# LDAPv3

# base <cn=Bruce Willman,ou=Level2,o=Tivoli,c=us> with scope baseObject

# filter: objectClass=*

# Bruce Willman, Level2, Tivoli, us

dn: cn=Bruce Willman,ou=Level2,o=Tivoli,c=us

cn: Bruce

cn: Bruce Willman

sn: Willman

# search result

search: 2

result: 0 Success

# numResponses: 2

# numEntries: 1

2. Configure the LDAP element

Start the ISM Configuration GUI, and create an element.

- In the ‘server’ field, enter the host name of the LDAP server (-h parameter)

- In the ‘searchbase’ field, enter the search string (-b parameter)

- In the ‘filter’ field, enter the filter

In the Advanced tab:

- Set the port number that the LDAP server listens on for SSL connections

This value can be found in the LDAP server configuration file, and is 636 in this example.

- Set the ‘username’ and ‘password’ (-D and –w parameters)

- Set ‘authentication type’ to SSL-SIMPLE

- Set ‘verifycertificate’ to Disabled

Set distribution of the profile to an agent, and then save the changes.

The test should show up in the TEP:

Trouble shooting

- Edit <ISM_HOME>/etc/props/ldap.props, and add the line:

MessageLevel : “debug”

- Restart the LDAP monitor:

<ISM_HOME>/bin/ism_startup.sh stop nco_m_ldap

<ISM_HOME>/bin/ism_startup.sh start nco_m_ldap

- Check <ISM_HOME>/log/ldap.log, and there will be tracing:

Tue Jan 5 11:18:21 2016 F57FEB70 Information: Trying connection

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Using OpenLDAP Version 2.4.40

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Using cyrus-sasl Version 2.1.26

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: SSL requested - URI is ldaps://hulkster.tivlab.austin.ibm.com:636/

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Initialisation complete

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Creating SSL context for v2 and v3

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL context established successfully

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: No certificate file

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: No private key file

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL context setup succeeded

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Created New SSL Context 0xCE84D878

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: LDAPv3 selected

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Binding attempt with plaintext or SSL-tunneled plaintext password, ldap_p=-199225272

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Configuring Certificate Verification: Disabled

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL info: cert:[] key:[] pass:[] auth:[0] trust_file:[/opt/IBM/ITM/lx8263/is/certificates/trust.pem] trust_path:[/opt/IBM/ITM/lx8263/is/certificates/]

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Disabling Certificate Verification Using Context=0xCE84D878

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL Disable args SSLV2=1 SSLV3=1, TLS=0

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL disabling SSLv2

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL disabling SSLv3

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: SSL set options = 0x83000BFF

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: Using cipher suite: 'AES:3DES:DES:!EXP:!DHE:!EDH'

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Ldap handle on failure was -199225272

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Getting results of bind, timeout is 30, msgid is 1 ...

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Bind status is: 97

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Bind result from ldap_parse_result is: 0 with message type 0

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Async bind results returned from server

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Bind to LDAP server complete

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: hulkster.tivlab.austin.ibm.com: Attempting search ...

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(profile) -> "LDAPMonitor"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(datalogpath) -> "ldaphulkster_tivlab_austin_ibm_com_636_cn_Bruce_Willman_ou_Level2_o_Tivoli_c_us_guicli_1427210814415_6683_720d"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(host) -> "hulkster.tivlab.austin.ibm.com"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(timeout) -> "30"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(pollInterval) -> "300"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(description) -> "LDAP hulkster.tivlab.austin.ibm.com element."

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(failureRetests) -> "0"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(failureRetestInterval) -> "10"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(identchecksum) -> "guicli_1427210814415_6683_720d"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(startTimePoll) -> "1452010701"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(service) -> "LDAP"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(port) -> "636"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(distinguishedName) -> "cn=root"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(searchBase) -> "cn=Bruce Willman,ou=Level2,o=Tivoli,c=us"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(filter) -> "objectclass=*"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(authentication) -> "SSL-SIMPLE"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(initTime) -> "0.00040"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(message) -> "Search successful"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(connectTime) -> "0.01242"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(dnMatched) -> "cn=Bruce Willman,ou=Level2,o=Tivoli,c=us"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(objectClass) -> "top"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(objectClass2) -> "person"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(objectClass3) -> "organizationalPerson"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(objectClass4) -> "inetOrgPerson"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(objectClass5) -> "ePerson"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(cn) -> "Bruce"

Tue Jan 5 11:18:21 2016 F57FEB70 Debug: $(cn2) -> "Bruce Willman"

[{"Product":{"code":"SS5MD2","label":"Tivoli Composite Application Manager for Transactions"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"ITCAM TRANSACT ISM 5724S79IS v710","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"7.4","Edition":""}]

Document Information

Modified date:
17 June 2018

UID

swg21974294