Troubleshooting
Problem
Users cannot log in to IBM Resilient because IBM Resilient cannot connect to Active Directory as the SSL certificate that IBM Resilient is using to ensure a TLS connection with Active Directory is expired.
Symptom
Users cannot log to IBM Resilient via LDAP authentication. The client.log shows the following error:
07:53:11.117 [http-nio-443-exec-18] ERROR [ldap] com.co3.ldap.LdapConnectionSet - Failed to connect to xx:636: An error occurred while attempting to connect to server xx:636: IOException(LDAPException(resultCode=123 (authorization denied), errorMessage='authorization denied', ldapSDKVersion=4.0.9, revision=29290))......
Caused by: java.io.IOException: LDAPException(resultCode=123 (authorization denied), errorMessage='authorization denied', ldapSDKVersion=4.0.9, revision=29290)
at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:178)
at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:860)
... 59 common frames omitted
Caused by: com.unboundid.ldap.sdk.LDAPException: authorization denied
at com.co3.ldap.LdapConnectionSet$2.verifySSLSocket(LdapConnectionSet.java:413)
at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:166)
... 60 common frames omitted
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.ibm.jsse2.ag.getPeerCertificates(ag.java:130)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:113)
at com.co3.net.ResilientHostnameVerifier.verify(rgResilientHostnameVerifier.java:34)
at com.co3.ldap.LdapConnectionSet$2.verifySSLSocket(LdapConnectionSet.java:411)
... 61 common frames omitted
Cause
The Active Directory servers SSL certificate is expired.
Diagnosing The Problem
Running sudo resutil ldaptest returns the following error:
An error occurred while running the command line utility: Unable to connect to the LDAP server
The file, /usr/co3/logs/resutil.log shows the following error:
ERROR com.co3.ldap.LdapConnectionSet - Failed to setup LDAP connection pool: An error occurred while attempting to connect to server xx.xx.xx:636: IOException(LDAPException(resultCode=123 (authorization denied), errorMessage='authorization denied', ldapSDKVersion=4.0.9, revision=29290))
[main] ERROR com.co3.tools.co3util.Co3Util - Unable to connect to the LDAP server.
java.lang.RuntimeException: Unable to connect to the LDAP server.
at com.co3.tools.co3util.command.LdapConfigurationCommand.test(LdapConfigurationCommand.java:129)
at com.co3.tools.co3util.command.LdapConfigurationTestCommand.run(LdapConfigurationTestCommand.java:67)
at com.co3.context.DefaultCo3ContextImpl.runAsSuperUser(DefaultCo3ContextImpl.java:971)
Check the SSL certificate that IBM Resilient uses to connect to Active Directory to see whether it is expired:
keytool -list -v -keystore custcerts -storepass "$(resutil keyvaultget -name "custcerts")"
Resolving The Problem
If the SSL certificate is expired see the relevant section in the IBM Resilient Knowledge Center, LDAP Authentication.
do the following steps:
Backup your custcerts.
Obtain the correct SSL certificate that might need to be obtained from another team or by running:
keytool -printcert -rfc -sslserver {ldap_server_hostname}:636 > cacerts.pem
Import the new LDAP server's SSL certificate:
sudo keytool -importcert -trustcacerts -keystore /crypt/certs/custcerts -storepass "$(resutil keyvaultget -name "custcerts")" -file cacerts.pem -alias myldap
Verify the certificate is imported in to the custcerts keystore:
keytool -list -v -keystore custcerts -storepass "$(resutil keyvaultget -name "custcerts")"
Restart the IBM Resilient service:
sudo service resilient restart
Notes: If applicable, when you import, you might get message alias exist. If so, you can delete it by:
sudo keytool -delete -alias yourLDAPalias -keystore custcerts -storepass "$(sudo resutil keyvaultget -name "custcerts")"
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z0000001gqlAAA","label":"Authentication-\u003ELDAP"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z0000001gqlAAA","label":"Authentication-\u003ELDAP"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Product Synonym
LDAP
Was this topic helpful?
Document Information
Modified date:
15 August 2022
UID
ibm16250815