Troubleshooting
Problem
To use AD as one of federated directories, I registed an Active Directory server (SSL/TLS). After I saved, deployed and restarted runtime, my reverse proxy can not get started any more.
Symptom
These messages can be seen in msg__webseald-<instance name>.log:
HPDCO0192W LDAP server ad.example.com:636 has failed.
HPDDB0450W Could not bind to server (wga.example.com, 0x13212077).
HPDDB0609E Could not rebuild database replica (/var/pdweb/default/db/webseald-default.db, 0x13212077).
Furthermore, I can not use admin CLI any more.
Welcome to the IBM Security Access Manager appliance
Enter "help" for a list of available commands
wga.example.com> isam
wga.example.com:isam> admin
pdadmin> login
Enter User ID: sec_master
Enter Password:
Error: HPDAC0779E The LDAP registry server is down. (status 0x1005b30b)
Cause
When ISAM servers try to initiate TLS/1.2 session with AD, they did not use signature algorithms extention by default.
Environment
ISAM9, Windows 2012(AD)
Diagnosing The Problem
If you can collect network trace, you will see AD send RST against Client Hello from ISAM servers.
Resolving The Problem
You need to add [ldap] ldap-ssl-set-extn-sigalg parameter in ldap.conf manually.
For example,
[ldap]
ldap-ssl-set-extn-sigalg = GSK_TLS_SIGALG_RSA_WITH_SHA1,GSK_TLS_SIGALG_DSA_WITH_SHA1,GSK_TLS_SIGALG_ECDSA_WITH_SHA1,GSK_TLS_SIGALG_RSA_WITH_SHA224,GSK_TLS_SIGALG_ECDSA_WITH_SHA224,GSK_TLS_SIGALG_RSA_WITH_SHA256,GSK_TLS_SIGALG_ECDSA_WITH_SHA256,GSK_TLS_SIGALG_RSA_WITH_SHA384,GSK_TLS_SIGALG_ECDSA_WITH_SHA384,GSK_TLS_SIGALG_RSA_WITH_SHA512,GSK_TLS_SIGALG_ECDSA_WITH_SHA512
After modifying ldap.conf, you need to save, deploy and restart runtime/reverse proxy.
Related Information
Product Synonym
ISAM
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg22015607