Troubleshooting
Problem
In a recent update from Microsoft, customers have been enabling/forcing SSL for LDAP connections to Active Directory. The enabling/forcing of SSL is described in the following Microsoft document: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows
This document outlines the steps required to allow your TM1Web Application Server to communicate with the Active Directory LDAP using SSL.
Symptom
Incorrect configuration will often lead to the following error in the browser: Error 403: AuthenticationFailed
Resolving The Problem
How to Enable SSL LDAP Configuration in Server.XML
Additional Considerations:
- Obtain the appropriate SSL Certificate(s) from your Domain Administrator and copy the file to the \install_dir\bin64\ssl\ folder
*You want to obtain a file that contains both the root and intermediate certificates (entire chain of trust) in a single file
**Example in this document uses a file named ca-chain.cert.pem (root and intermediate combined) - Stop your IBM Planning Analytics / TM1Web Application Server
- Open/edit your \install_dir\wlp\usr\servers\tm1\server.xml file
- Ensure the featureManager tag include the following features:
<feature>ssl-1.0</feature>
<feature>appSecurity-2.0</feature> - Ensure the ldapRegistry entry has been updated to reflect the correct SSL port (636 by default), and add the following two lines at the end of the ldapRegistry entry:
sslEnabled="true"
sslRef="LDAPSSLSettings"
EXAMPLE: <ldapRegistry id="ldap" realm="PA.IBMSUPPORT.COM" host="PA.IBMSUPPORT.COM" port="636" ignoreCase="true" baseDN="CN=Users,DC=pa,DC=ibmsupport,DC=com" bindDN="CN=Fish SVCACCT,CN=Users,DC=pa,DC=ibmsupport,DC=com" bindPassword="PASupport!@" ldapType="Microsoft Active Directory" sslEnabled="true" sslRef="LDAPSSLSettings"/> - At the bottom of the file, add the following just before the closing </server> tag:
<sslDefault sslRef="LDAPSSLSettings" />
<ssl id="LDAPSSLSettings" keyStoreRef="LDAPKeyStore" trustStoreRef="LDAPTrustStore" />
<keyStore id="LDAPKeyStore" location="${wlp.user.dir}/../../bin64/ssl/tm1store" type="JKS" password="applix" />
<keyStore id="LDAPTrustStore" location="${wlp.user.dir}/../../bin64/ssl/tm1store" type="JKS" password="applix" /> - Save the file server.xml file
- In Command Prompt, as an Administrator, navigate to <install_dir>\tm1_64\jre\bin\
- Modify (as required) and execute the following command to import the Root Certificate Authority and Intermediate Certificate Authority (via the concatenated ca-chain.cert.pem file) in to your TM1Store: keytool.exe -import -trustcacerts -file "..\..\bin64\ssl\ca-chain.cert.pem" -keystore "..\..\bin64\ssl\tm1store" -alias caChain -storepass applix
Additional Considerations:
- Different Keystore or Truststore files can be used if desired
- Passwords in the server.xml file can be encrypted using the securityUtility, located in \install_dir\wlp\bin\
See: https://www.ibm.com/support/pages/how-encrypt-password-planning-analytics-wlp-serverxml-file
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSD29G","label":"IBM Planning Analytics"},"ARM Category":[{"code":"a8m0z000000GoUlAAK","label":"Troubleshooting->TM1Web"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Document Information
Modified date:
22 June 2020
UID
ibm16233992