Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Issue

Cause

Diagnosis

Resolution

While configuring LDAP in Adeptia to authenticate users against the Active Directory server but we want to change it to use SSL connection for the same LDAP server. We have followed the steps mentioned in the below document to configure a secure LDAP connection.

https://docs.adeptia.com/display/AC2/Configuring+Adeptia+Connect+for+LDAP+Authentication

But after Restart the services, we are getting the below error on Login.

Login failed - Error while retrieving LDAP directory context, please verify connection with LDAP server or user's credentials.

At the active directory server, we see "cannot validate token" error.

After analyzing the SSL logs, we found that this issue is caused due to the unsupported Signature Algorithm certificates exchange between Adeptia & the LDAP server. This can be verified from the SSL log trace:-

CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, SHA512withECDSA, SHA256withRSA, SHA384withRSA, SHA1withRSA, SHA256withECDSA, SHA384withECDSA, SHA1withECDSA, SHA1withDSA

This issue occurs only with the Windows 2012 R2 server that doesn't support MD5 algorithm while Adeptia uses adeptiabpmtemp certificate signed with MD5WITHRSA Signature Algorithm. Due to this mismatch, Adeptia is unable to make a connection with Secure LDAP.

Check if TLS1.2 is enabled on the LDAP server side. If enabled, then, kindly, perform the following steps to enable the SSL logs for analysis:-

Goto the location "<InstallationDirectory>/ServerKernal/etc" and open the launcher.properties file in edit mode.
Now, add -Djavax.net.debug=ssl in the JVM parameter for Webrunner.
Restart the Adeptia services.
The SSL debug logs will be created in WebrunnerApplication.log file located at "<AdeptiaInstallationDirectory>\ServerKernel\logs\applicationlogs".

To solve this issue you need to use the new certificates signed with Signature Algorithm SHA256WITHRSA. Using the updated certificates will allow you to establish a connection with the Secure LDAP successfully. Follow the below steps to download and use the updated certificates,:-

Download and extract the attached zip file adeptiaBPM.zip.
Goto the location "<AdeptiaInstallationDirectory>\AdeptiaServer\ServerKernel\etc\jetty".
Take the backup of the existing adeptiaBPM.keystore file and copy the downloaded Keystore file here.
Enable the Secure LDAP configuration as provided in the documentation.
Restart the Adeptia Services.
Now, access the Adeptia Url with LDAP credentials.