SSL/TLS clients binds fail to Solaris 10 06/06 DS5.2p4 Server

hello all,
this is a bizarre issue that i think is related to the solaris version that is running on the directory server, at least this appears to the the issue. i have 2 SunDS servers running solaris 10 06/06 and the other solaris 10 01/06 with DS5.2p4. both have SSL enabled, the certs i signed with my own CA which i maintain with tinyca2. the directory starts fine and is listening on both 389(ldap) and 636(ldaps). i am able to successfully bind to both servers on the non-secure ports fine, commands like getent, finger, id are pulling the people from the directory. when i enable the clients to use ssl/tls those same commands fail against the solaris 10 06/06 machine but NOT the solaris 10 01/06 server. on the linux machines i'm getting "nscd: pam_ldap: could not search LDAP server" errors and on the solaris machines "Mesg: openConnection: failed to initialize TLS security" and "libsldap: Status: 7 Mesg: Session error no available conn."
using "ldapsearch -x -ZZ" from the clients is successful to both systems, and i can use "openssl s_client" to view the certs fine. another bizzare occurance is when i do "getent passwd" i see the local and ldap users but "getent passwd ldap_user" will return nothing. again this are against the solaris 10 06/06 machine.
has anyone see this before? i'm going to open a service request for sun on this but i wanted to see if anyone else has run into this.

there was a problem with the certificate db which was causing this.

Similar Messages

  • OpenSSL SSL/TLS Man-In-The-Middle Injection Attack CVE-2014-0224

    Can some help me to fix Open SSL Issue in Windows server 2008 R2 CVE-2014-0224 , Please advice

    Hi,
    From the description on Open SSL site, it is fixed in newer versions so could you update to the new version?
    https://www.openssl.org/news/vulnerabilities.html
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    CVE-2014-0224: 5th June 2014
    An attacker can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. (original advisory).
    Reported by KIKUCHI Masashi (Lepidum Co. Ltd.).
    Fixed in OpenSSL 1.0.1h (Affected 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1)
    Fixed in OpenSSL 1.0.0m (Affected 1.0.0l, 1.0.0k, 1.0.0j, 1.0.0i, 1.0.0g, 1.0.0f, 1.0.0e, 1.0.0d, 1.0.0c, 1.0.0b, 1.0.0a, 1.0.0)
    Fixed in OpenSSL 0.9.8za (Affected 0.9.8y, 0.9.8x, 0.9.8w, 0.9.8v, 0.9.8u, 0.9.8t, 0.9.8s, 0.9.8r, 0.9.8q, 0.9.8p, 0.9.8o, 0.9.8n, 0.9.8m, 0.9.8l, 0.9.8k, 0.9.8j, 0.9.8i, 0.9.8h, 0.9.8g, 0.9.8f, 0.9.8e, 0.9.8d, 0.9.8c, 0.9.8b, 0.9.8a, 0.9.8)
    If you have any feedback on our support, please send to [email protected]

  • Transport error 202 bind failed address already in use

    how to rectify -- transport error 202 bind failed address already in use-- while running CA server
    i have created new production and pub server, first i runned production server after that while running CA server i got that error. if i run CA server independently its running

    It seems like a port conflict issue. You should check rmi and other ports in the configuration file for the component /atg/dynamo/Configuration in the localconfig of your production and publishing servers directories under <ATG>\home\servers. Also, your app server should be configured to run two separate instances for production and publishing server as per the http ports specified in /atg/dynamo/Configuration.

  • ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

    Hello, I´m stucked with this problem for 3 weeks now.
    I´m not able to configure the EAP-TLS autentication.
    In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
    The ISE´s certificate has been issued with the "server Authentication certificate" template.
    The clients have installed the certificates  also the certificate chain.
    When I try to authenticate the wireless clients I allways get the same error: "     Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
    and "OpenSSLErrorMessage=SSL alert
    code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack=  1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
    I don´t know what else can I do.
    Thank you
    Jorge

    Hi Rik,
    the Below are the certificate details
    ISE Certificate Signed by XX-CA-PROC-06
    User PKI Signed by XX-CA-OTHER-08
    In ISE certificate Store i have the below certificates
    XX-CA-OTHER-08 signed by XX-CA-ROOT-04
    XX-CA-PROC-06 signed by XX-CA-ROOT-04
    XX-CA-ROOT-04 signed by XX-CA-ROOT-04
    ISE certificate signed by XX-CA-PROC-06
    I have enabled - 'Trust for client authentication' on all three certificates
    this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
    when i check the certificates of current user in the Client PC this is how it shows.
    XX-CA-ROOT-04 is listed in Trusted root Certification Authority
    and XX-CA-PROC-06 and XX-CA-OTHER-08  are in Intermediate Certificate Authorities

  • 12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

    Hi guys,
    I have root CA and intermediate CA in ISE local certificate store trusted for client authentication.
    I have imported both root ca and client certificate in the device I want to authenticate, but ISE keeps spitting out this error :
    12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

    Refer the link for troubleshooting in page no 22 the issue is mentioned, check it: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_81_troubleshooting_failed_authc.pdf

  • EAP-TLS error .........failed SSL/TLS handshake because of an unknown CA in client certificate chain

    Hi,
    I am using 802.1x and EAP-TLS as authentication protocol. The clients are not able to pass the authentication the error log on ACS is
    Authentication failed: EAP-TLS handshake failed SSL/TLS handshake because of an unknown CA in the client certification chain.
    I have installed certificates on the WLC and ACS, however authentication is unsuccessful.
    Can anybody help regarding this issue.

    Hi Sandeep,
    Web auth certificate is defult certificate in wlc but you can also use your own(3rd party).
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.html
    Virtual interface : This interface handles any mobility management, VPN Termination, Web authentication, and is also a DHCP relay for WLAN clients.
    Yes its interconnected, the purpose for this entry is so that the controller knows the name of the of the certificates to virtual address translation.
    1. Guest Client go to google.com
    2. Client goes to DNS (the one its is assign in DHCP)
    3. DNS resolves the DNS for google.com
    4. Client then attempts to go to google.com
    5. Controller intercepts GET and replaces it with a 1.1.1.1
    6. Controller then takes the 1.1.1.1 and translates this to the DNS name to negat the (accpet this cert screen)
    7. DNS then gets resolve to the name (example guest.xxx.com)
    8. Controller presents the guest screen
    Hope it helps.
    Regards
    Dont forget to rate helpful posts

  • Native Solaris 10 with DSEE 6.3.1 (or JSDS) with SSL (tls:simple)

    Hello There,
    I need some help from DSEE or LDAP experts.
    I am trying to configure DSEE 6.3.1 to use SSL(tls:simple).
    *{color:#0000ff}I have Simple(non-SSL) method working just fine and*
    **Also ldapsearch command works fine with simple and SSL methods*{color}**. So I know my certs are good but I just can not make ldap clien to work*
    *I followed this document [http://brandonhutchinson.com/wiki/Soup_To_Nuts_Sun_DSEE#Solaris_10_instructions]*
    I am using
    ldapclient -v init -a profileName=profile3 -a certificatePath=/var/ldap -a domainName=mydomain.com -a proxyDN="cn=proxyagent,ou=pro*file,dc=mydomain,dc=com" -a proxyPassword=XXXXX ldap200.mydomain.com*
    Here is the output
    +Parsing profileName=profile3+
    +Parsing certificatePath=/var/ldap+
    +Parsing domainName=mydomain.com+
    +Parsing proxyDN=cn=proxyagent,ou=profile,dc=mydomain,dc=com+
    +Parsing proxyPassword=xxxxx+
    +Arguments parsed:+
    +domainName: mydomain.com+
    +proxyDN: cn=proxyagent,ou=profile,dc=mydomain,dc=com+
    +profileName: profile3+
    +proxyPassword: xxxxx+
    +defaultServerList: ldap200.mydomain.com+
    +certificatePath: /var/ldap+
    +Handling init option+
    +About to configure machine by downloading a profile+
    +findBaseDN: begins+
    +findBaseDN: ldap not running+
    +findBaseDN: calling __ns_ldap_default_config()+
    +found 1 namingcontexts+
    +findBaseDN: __ns_ldap_list(NULL, "(&(objectclass=nisDomainObject)(nisdomain=mydomain.com))"+
    +rootDN[0] dc=mydomain,dc=com+
    +found baseDN dc=mydomain,dc=com for domain mydomain.com+
    +Proxy DN: cn=proxyagent,ou=profile,dc=mydomain,dc=com+
    +Proxy password: {NS1}67eb0f447bc0f619+
    +Credential level: 1+
    +Authentication method: 3+
    +About to modify this machines configuration by writing the files+
    +Stopping network services+
    +sendmail not running+
    +nscd not running+
    +autofs not running+
    +ldap not running+
    +nisd not running+
    +nis(yp) not running+
    +file_backup: stat(/etc/nsswitch.conf)=0+
    +file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)+
    +file_backup: stat(/etc/defaultdomain)=0+
    +file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)+
    +file_backup: stat(/var/nis/NIS_COLD_START)=-1+
    +file_backup: No /var/nis/NIS_COLD_START file.+
    +file_backup: nis domain is "mydomain.com"+
    +file_backup: stat(/var/yp/binding/mydomain.com)=-1+
    +file_backup: No /var/yp/binding/mydomain.com directory.+
    +file_backup: stat(/var/ldap/ldap_client_file)=-1+
    +file_backup: No /var/ldap/ldap_client_file file.+
    +Starting network services+
    +start: /usr/bin/domainname mydomain.com... success+
    +start: sleep 100000 microseconds+
    +start: sleep 200000 microseconds+
    +start: network/ldap/client:default... success+
    +restart: sleep 100000 microseconds+
    +restart: sleep 200000 microseconds+
    +restart: milestone/name-services:default... success+
    +System successfully configured+
    +When I run+
    *It takes long time and then*
    *+ldaplist: Object not found (Session error no available conn.+*
    *+)+*
    {color:#0000ff}The command logins also takes long time and does not show any LDAP users.{color}
    *+{color:#ff6600}Here is the output from cachemgr.log on client*+*
    *+{color}+*
    +Tue Jul 14 12:16:07.8984 Starting ldap_cachemgr, logfile /var/ldap/cachemgr.log+
    +Tue Jul 14 12:16:07.9391 sig_ok_to_exit(): parent exiting...+
    +Tue Jul 14 12:16:17.9511 getldap_set_refresh_ttl:(6) refresh ttl is 300 seconds+
    +Tue Jul 14 12:16:38.0741 getldap_set_refresh_ttl:(6) refresh ttl is 150 seconds+
    +Tue Jul 14 12:16:38.0755 Error: Unable to refresh profile:profile3:Session error no available conn.+
    +Tue Jul 14 12:16:38.0756 Error: Unable to update from profile+
    +{color:#ff6600}Here is the out from /var/adm/messages.+
    +{color:#000000}Jul 14 12:16:38 ldap300 ldap_cachemgr[19726]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg: openConnection: simple bind fai{color}+{color:#000000}+led - Can't contact LDAP server+
    +Jul 14 12:16:38 ldap300 ldap_cachemgr[19726]: [ID 292100 daemon.warning] libsldap: could not remove 192.168.190.146 from servers list+
    +Jul 14 12:16:38 ldap300 ldap_cachemgr[19726]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: Session error no available conn.+
    +Jul 14 12:16:38 ldap300 ldap_cachemgr[19726]: [ID 186574 daemon.error] Error: Unable to refresh profile:profile3: Session error no available conn.+
    +Jul 14 12:16:38 ldap300 /usr/lib/nfs/nfsmapid[19731]: [ID 293258 daemon.warning] libsldap: Status: 81 Mesg: openConnection: simple+ +bind failed - Can't contact LDAP server+
    +Jul 14 12:16:38 ldap300 /usr/lib/nfs/nfsmapid[19731]: [ID 292100 daemon.warning] libsldap: could not remove 192.168.190.146 from servers list+
    +Jul 14 12:16:38 ldap300 /usr/lib/nfs/nfsmapid[19731]: [ID 293258 daemon.warning] libsldap: Status: 7 Mesg: Session error no avaible conn.+
    *ANY HELP IS GREATLY APPRECIATED*
    *THANKS*
    Edited by: PranavPatel on Jul 14, 2009 12:41 PM
    Edited by: PranavPatel on Jul 14, 2009 12:46 PM

    Here is the the profile from Server
    Non-editable attributes
    dn: cn=profile3,ou=profile,dc=mydomain,dc=com
    authenticationmethod: tls:simple
    bindtimelimit: 10
    cn: profile3
    credentiallevel: proxy
    defaultsearchbase: dc=mydomain,dc=com
    defaultsearchscope: one
    defaultserverlist: 192.168.190.146 192.168.11.221
    followreferrals: FALSE
    objectclass: top
    objectclass: DUAConfigProfile
    profilettl: 43200
    searchtimelimit: 30
    serviceauthenticationmethod: passwd-cmd:tls:simple
    serviceauthenticationmethod: keyserv:tls:simple
    serviceauthenticationmethod: pam_ldap:tls:simple
    Editable attributes:
    createtimestamp: 20090714180638Z
    creatorsname: cn=directory manager
    entrydn: cn=profile3,ou=profile,dc=mydomain,dc=com
    entryid: 26
    hassubordinates: FALSE
    modifiersname: cn=directory manager
    modifytimestamp: 20090714180638Z
    nsuniqueid: f37fa281-70a011de-80b5f403-069e0ba9
    numsubordinates: 0
    parentid: 13
    subschemasubentry: cn=schema
    And here is the output of
    *# ldapclient list*
    NS_LDAP_FILE_VERSION= 2.0
    NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=mydomain,dc=com
    +NS_LDAP_BINDPASSWD= {NS1}67eb0f447bc0f619+
    NS_LDAP_SERVERS= 192.168.190.146, 192.168.11.221
    NS_LDAP_SEARCH_BASEDN= dc=mydomain,dc=com
    NS_LDAP_AUTH= tls:simple
    NS_LDAP_SEARCH_REF= FALSE
    NS_LDAP_SEARCH_SCOPE= one
    NS_LDAP_SEARCH_TIME= 30
    NS_LDAP_CACHETTL= 43200
    NS_LDAP_PROFILE= profile3
    NS_LDAP_CREDENTIAL_LEVEL= proxy
    NS_LDAP_BIND_TIME= 10
    NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:tls:simple
    NS_LDAP_SERVICE_AUTH_METHOD= keyserv:tls:simple
    NS_LDAP_SERVICE_AUTH_METHOD= passwd-cmd:tls:simple
    NS_LDAP_HOST_CERTPATH= /var/ldap
    Edited by: PranavPatel on Jul 14, 2009 1:08 PM

  • How Redirect browser(client) based on non-negotiable SSL/TLS protocol or cipher

    Hi guys,
    we have a security requirement wherein we have to  force the browsers accessing our asp.net application hosted on windows server 2012 to have atleast tsl 1.1 , but we don't want to simply block the request, instead we would like to redirect the request
    to a unsecured static html page with the instructions on how to get them onto tsl.
    can any one help me here?>? actually i found a similar and exactly same thread on stackoverflow but i think that is probably directed towards linux family.   http://serverfault.com/questions/591188/redirect-browser-based-on-non-negotiable-ssl-tls-protocol-or-cipher
    please help me guys..
    ps: i have posted the same question on IIS forum (http://forums.iis.net/t/1223352.aspx?How+Redirect+browser+client+based+on+non+negotiable+SSL+TLS+protocol+or+cipher+from+IIS)
    and got a reply saying that it can be done at windows kernel level(possibly).

    Hi,
    As far as I know, once SSL handshake fails, no subsequent communication would occur between the server and client.
    Therefore, as the way I see it, the goal cannot be achieved.
    Best Regards,
    Amy
    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected]

  • Solaris 8, pam_ldap and SSL/TLS

    Has anyone got the experience of compiling and installing pam_ldap (padl version) with ssl/tls support on Solaris 8? I tried compiling pam_ldap with Netscape LDAP SDK, but it failed to compile ldap_ssl.h . So I am wondering... is that something I can do on solaris 8? (I am using iDS 5.1)
    Error received on compilation:
    # ./configure with-ldap-lib=netscape5 with-ldap-dir=/ldapsdk
    loading cache ../config.cache
    checking host system type... sparc-sun-solaris2.8
    checking target system type... sparc-sun-solaris2.8
    checking build system type... sparc-sun-solaris2.8
    checking for a BSD compatible install... ../install-sh -c
    checking whether build environment is sane... yes
    checking for mawk... no
    checking for gawk... no
    checking for nawk... nawk
    checking whether make sets ${MAKE}... yes
    checking for working aclocal... missing
    checking for working autoconf... found
    checking for working automake... missing
    checking for working autoheader... found
    checking for working makeinfo... missing
    checking for gnutar... no
    checking for gtar... no
    checking for tar... tar
    checking for gcc... gcc
    checking whether the C compiler (gcc ) works... yes
    checking whether the C compiler (gcc ) is a cross-compiler... no
    checking whether we are using GNU C... yes
    checking whether gcc accepts -g... yes
    checking how to run the C preprocessor... gcc -E
    checking for a BSD compatible install... ../install-sh -c
    checking for security/pam_appl.h... yes
    checking for security/pam_misc.h... no
    checking for security/pam_modules.h... yes
    checking for pam/pam_appl.h... no
    checking for pam/pam_misc.h... no
    checking for pam/pam_modules.h... no
    checking for des.h... no
    checking for crypt.h... yes
    checking for lber.h... yes
    checking for ldap.h... yes
    checking for ldap_ssl.h... yes
    checking for main in -ldl... yes
    checking for main in -lpam... yes
    checking for main in -lresolv... yes
    checking for main in -lcrypt... yes
    checking for main in -lnsl... yes
    checking for gethostbyname... yes
    checking for main in -lldap50... yes
    checking for main in -lpthread... yes
    checking for ldap_init... yes
    checking for ldap_get_lderrno... yes
    checking for ldap_set_lderrno... yes
    checking for ldap_parse_result... yes
    checking for ldap_memfree... yes
    checking for ldap_controls_free... yes
    checking for ldap_set_option... yes
    checking for ldap_get_option... yes
    checking for ldapssl_init... yes
    checking for ldap_start_tls_s... no
    checking for ldap_pvt_tls_set_option... no
    checking for ldap_initialize... no
    checking for gethostbyname_r... yes
    checking whether gethostbyname_r takes 6 arguments... 5
    checking for ldap_set_rebind_proc... yes
    checking whether ldap_set_rebind_proc takes 3 arguments... 3
    updating cache ../config.cache
    creating ./config.status
    creating Makefile
    creating config.h
    # make
    cd . && /padl/pam_ldap-161/missing aclocal
    WARNING: `aclocal' is missing on your system. You should only need it if
    you modified `acinclude.m4' or `configure.in'. You might want
    to install the `Automake' and `Perl' packages. Grab them from
    any GNU archive site.
    cd . && /padl/pam_ldap-161/missing automake --gnu Makefile
    WARNING: `automake' is missing on your system. You should only need it if
    you modified `Makefile.am', `acinclude.m4' or `configure.in'.
    You might want to install the `Automake' and `Perl' packages.
    Grab them from any GNU archive site.
    cd . && autoconf
    /bin/sh ../config.status --recheck
    running /bin/sh ./configure with-ldap-lib=netscape5 with-ldap-dir=/ldapsdk no-create no-recursion
    checking build system type... sparc-sun-solaris2.8
    checking host system type... sparc-sun-solaris2.8
    checking target system type... sparc-sun-solaris2.8
    checking for a BSD-compatible install... ../install-sh -c
    checking whether build environment is sane... yes
    checking for gawk... no
    checking for mawk... no
    checking for nawk... nawk
    checking whether make sets $(MAKE)... yes
    checking for working aclocal... missing
    checking for working autoconf... found
    checking for working automake... missing
    checking for working autoheader... found
    checking for working makeinfo... missing
    checking for gnutar... no
    checking for gtar... no
    checking for tar... tar
    checking for gcc... gcc
    checking for C compiler default output... a.out
    checking whether the C compiler works... yes
    checking whether we are cross compiling... no
    checking for suffix of executables...
    checking for suffix of object files... o
    checking whether we are using the GNU C compiler... yes
    checking whether gcc accepts -g... yes
    checking for gcc option to accept ANSI C... none needed
    checking how to run the C preprocessor... gcc -E
    checking for a BSD-compatible install... ../install-sh -c
    checking for egrep... egrep
    checking for ANSI C header files... yes
    checking for sys/types.h... yes
    checking for sys/stat.h... yes
    checking for stdlib.h... yes
    checking for string.h... yes
    checking for memory.h... yes
    checking for strings.h... yes
    checking for inttypes.h... yes
    checking for stdint.h... no
    checking for unistd.h... yes
    checking security/pam_appl.h usability... yes
    checking security/pam_appl.h presence... yes
    checking for security/pam_appl.h... yes
    checking security/pam_misc.h usability... no
    checking security/pam_misc.h presence... no
    checking for security/pam_misc.h... no
    checking security/pam_modules.h usability... no
    checking security/pam_modules.h presence... yes
    configure: WARNING: security/pam_modules.h: present but cannot be compiled
    configure: WARNING: security/pam_modules.h: check for missing prerequisite headers?
    configure: WARNING: security/pam_modules.h: proceeding with the preprocessor's result
    configure: WARNING: ## ------------------------------------ ##
    configure: WARNING: ## Report this to [email protected]. ##
    configure: WARNING: ## ------------------------------------ ##
    checking for security/pam_modules.h... yes
    checking pam/pam_appl.h usability... no
    checking pam/pam_appl.h presence... no
    checking for pam/pam_appl.h... no
    checking pam/pam_misc.h usability... no
    checking pam/pam_misc.h presence... no
    checking for pam/pam_misc.h... no
    checking pam/pam_modules.h usability... no
    checking pam/pam_modules.h presence... no
    checking for pam/pam_modules.h... no
    checking des.h usability... no
    checking des.h presence... no
    checking for des.h... no
    checking crypt.h usability... yes
    checking crypt.h presence... yes
    checking for crypt.h... yes
    checking lber.h usability... yes
    checking lber.h presence... yes
    checking for lber.h... yes
    checking ldap.h usability... yes
    checking ldap.h presence... yes
    checking for ldap.h... yes
    checking ldap_ssl.h usability... no
    checking ldap_ssl.h presence... yes
    configure: WARNING: ldap_ssl.h: present but cannot be compiled
    configure: WARNING: ldap_ssl.h: check for missing prerequisite headers?
    configure: WARNING: ldap_ssl.h: proceeding with the preprocessor's result
    configure: WARNING: ## ------------------------------------ ##
    configure: WARNING: ## Report this to [email protected]. ##
    configure: WARNING: ## ------------------------------------ ##
    checking for ldap_ssl.h... yes
    checking for main in -ldl... yes
    checking for main in -lpam... yes
    checking for main in -lresolv... yes
    checking for main in -lcrypt... yes
    checking for main in -lnsl... yes
    checking for gethostbyname... yes
    checking for main in -lldap50... yes
    checking for main in -lpthread... yes
    checking for ldap_init... yes
    checking for ldap_get_lderrno... yes
    checking for ldap_set_lderrno... yes
    checking for ldap_parse_result... yes
    checking for ldap_memfree... yes
    checking for ldap_controls_free... yes
    checking for ldap_set_option... yes
    checking for ldap_get_option... yes
    checking for ldapssl_init... yes
    checking for ldap_start_tls_s... no
    checking for ldap_pvt_tls_set_option... no
    checking for ldap_initialize... no
    checking for gethostbyname_r... yes
    checking whether gethostbyname_r takes 6 arguments... 5
    checking for ldap_set_rebind_proc... yes
    checking whether ldap_set_rebind_proc takes 3 arguments... 3
    configure: creating ../config.status
    cd . \
    && CONFIG_FILES=Makefile CONFIG_HEADERS= /bin/sh ./config.status
    config.status: creating Makefile
    config.status: executing default-1 commands
    gcc -DHAVE_CONFIG_H -DLDAP_REFERRALS -D_REENTRANT -I/ldapsdk/include -g -O2 -Wall -fPIC -c -o pam_ldap.o pam_ldap.c
    gcc -DHAVE_CONFIG_H -DLDAP_REFERRALS -D_REENTRANT -I/ldapsdk/include -g -O2 -Wall -fPIC -c -o md5.o md5.c
    /usr/ccs/bin/ld -o pam_ldap.so -B dynamic -M ../exports.solaris -G -B group -lc -L/ldapsdk/lib -R/ldapsdk/lib pam_ldap.o md5.o -lpthread -lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 -lnsl -lcrypt -lresolv -lpam -ldl
    cd . && autoheader
    WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot'
    WARNING: and `config.h.top', to define templates for `config.h.in'
    WARNING: is deprecated and discouraged.
    WARNING: Using the third argument of `AC_DEFINE' and
    WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without
    WARNING: `acconfig.h':
    WARNING: AC_DEFINE([NEED_MAIN], 1,
    WARNING: [Define if a function `main' is needed.])
    WARNING: More sophisticated templates can also be produced, see the
    WARNING: documentation.
    cd . \
    && CONFIG_FILES= CONFIG_HEADERS=config.h \
    /bin/bash ../config.status
    config.status: creating config.h
    config.status: executing default-1 commands

    Has anyone got the experience of compiling and installing pam_ldap (padl version) with ssl/tls support on Solaris 8? I tried compiling pam_ldap with Netscape LDAP SDK, but it failed to compile ldap_ssl.h . So I am wondering... is that something I can do on solaris 8? (I am using iDS 5.1)
    Error received on compilation:
    # ./configure with-ldap-lib=netscape5 with-ldap-dir=/ldapsdk
    loading cache ../config.cache
    checking host system type... sparc-sun-solaris2.8
    checking target system type... sparc-sun-solaris2.8
    checking build system type... sparc-sun-solaris2.8
    checking for a BSD compatible install... ../install-sh -c
    checking whether build environment is sane... yes
    checking for mawk... no
    checking for gawk... no
    checking for nawk... nawk
    checking whether make sets ${MAKE}... yes
    checking for working aclocal... missing
    checking for working autoconf... found
    checking for working automake... missing
    checking for working autoheader... found
    checking for working makeinfo... missing
    checking for gnutar... no
    checking for gtar... no
    checking for tar... tar
    checking for gcc... gcc
    checking whether the C compiler (gcc ) works... yes
    checking whether the C compiler (gcc ) is a cross-compiler... no
    checking whether we are using GNU C... yes
    checking whether gcc accepts -g... yes
    checking how to run the C preprocessor... gcc -E
    checking for a BSD compatible install... ../install-sh -c
    checking for security/pam_appl.h... yes
    checking for security/pam_misc.h... no
    checking for security/pam_modules.h... yes
    checking for pam/pam_appl.h... no
    checking for pam/pam_misc.h... no
    checking for pam/pam_modules.h... no
    checking for des.h... no
    checking for crypt.h... yes
    checking for lber.h... yes
    checking for ldap.h... yes
    checking for ldap_ssl.h... yes
    checking for main in -ldl... yes
    checking for main in -lpam... yes
    checking for main in -lresolv... yes
    checking for main in -lcrypt... yes
    checking for main in -lnsl... yes
    checking for gethostbyname... yes
    checking for main in -lldap50... yes
    checking for main in -lpthread... yes
    checking for ldap_init... yes
    checking for ldap_get_lderrno... yes
    checking for ldap_set_lderrno... yes
    checking for ldap_parse_result... yes
    checking for ldap_memfree... yes
    checking for ldap_controls_free... yes
    checking for ldap_set_option... yes
    checking for ldap_get_option... yes
    checking for ldapssl_init... yes
    checking for ldap_start_tls_s... no
    checking for ldap_pvt_tls_set_option... no
    checking for ldap_initialize... no
    checking for gethostbyname_r... yes
    checking whether gethostbyname_r takes 6 arguments... 5
    checking for ldap_set_rebind_proc... yes
    checking whether ldap_set_rebind_proc takes 3 arguments... 3
    updating cache ../config.cache
    creating ./config.status
    creating Makefile
    creating config.h
    # make
    cd . && /padl/pam_ldap-161/missing aclocal
    WARNING: `aclocal' is missing on your system. You should only need it if
    you modified `acinclude.m4' or `configure.in'. You might want
    to install the `Automake' and `Perl' packages. Grab them from
    any GNU archive site.
    cd . && /padl/pam_ldap-161/missing automake --gnu Makefile
    WARNING: `automake' is missing on your system. You should only need it if
    you modified `Makefile.am', `acinclude.m4' or `configure.in'.
    You might want to install the `Automake' and `Perl' packages.
    Grab them from any GNU archive site.
    cd . && autoconf
    /bin/sh ../config.status --recheck
    running /bin/sh ./configure with-ldap-lib=netscape5 with-ldap-dir=/ldapsdk no-create no-recursion
    checking build system type... sparc-sun-solaris2.8
    checking host system type... sparc-sun-solaris2.8
    checking target system type... sparc-sun-solaris2.8
    checking for a BSD-compatible install... ../install-sh -c
    checking whether build environment is sane... yes
    checking for gawk... no
    checking for mawk... no
    checking for nawk... nawk
    checking whether make sets $(MAKE)... yes
    checking for working aclocal... missing
    checking for working autoconf... found
    checking for working automake... missing
    checking for working autoheader... found
    checking for working makeinfo... missing
    checking for gnutar... no
    checking for gtar... no
    checking for tar... tar
    checking for gcc... gcc
    checking for C compiler default output... a.out
    checking whether the C compiler works... yes
    checking whether we are cross compiling... no
    checking for suffix of executables...
    checking for suffix of object files... o
    checking whether we are using the GNU C compiler... yes
    checking whether gcc accepts -g... yes
    checking for gcc option to accept ANSI C... none needed
    checking how to run the C preprocessor... gcc -E
    checking for a BSD-compatible install... ../install-sh -c
    checking for egrep... egrep
    checking for ANSI C header files... yes
    checking for sys/types.h... yes
    checking for sys/stat.h... yes
    checking for stdlib.h... yes
    checking for string.h... yes
    checking for memory.h... yes
    checking for strings.h... yes
    checking for inttypes.h... yes
    checking for stdint.h... no
    checking for unistd.h... yes
    checking security/pam_appl.h usability... yes
    checking security/pam_appl.h presence... yes
    checking for security/pam_appl.h... yes
    checking security/pam_misc.h usability... no
    checking security/pam_misc.h presence... no
    checking for security/pam_misc.h... no
    checking security/pam_modules.h usability... no
    checking security/pam_modules.h presence... yes
    configure: WARNING: security/pam_modules.h: present but cannot be compiled
    configure: WARNING: security/pam_modules.h: check for missing prerequisite headers?
    configure: WARNING: security/pam_modules.h: proceeding with the preprocessor's result
    configure: WARNING: ## ------------------------------------ ##
    configure: WARNING: ## Report this to [email protected]. ##
    configure: WARNING: ## ------------------------------------ ##
    checking for security/pam_modules.h... yes
    checking pam/pam_appl.h usability... no
    checking pam/pam_appl.h presence... no
    checking for pam/pam_appl.h... no
    checking pam/pam_misc.h usability... no
    checking pam/pam_misc.h presence... no
    checking for pam/pam_misc.h... no
    checking pam/pam_modules.h usability... no
    checking pam/pam_modules.h presence... no
    checking for pam/pam_modules.h... no
    checking des.h usability... no
    checking des.h presence... no
    checking for des.h... no
    checking crypt.h usability... yes
    checking crypt.h presence... yes
    checking for crypt.h... yes
    checking lber.h usability... yes
    checking lber.h presence... yes
    checking for lber.h... yes
    checking ldap.h usability... yes
    checking ldap.h presence... yes
    checking for ldap.h... yes
    checking ldap_ssl.h usability... no
    checking ldap_ssl.h presence... yes
    configure: WARNING: ldap_ssl.h: present but cannot be compiled
    configure: WARNING: ldap_ssl.h: check for missing prerequisite headers?
    configure: WARNING: ldap_ssl.h: proceeding with the preprocessor's result
    configure: WARNING: ## ------------------------------------ ##
    configure: WARNING: ## Report this to [email protected]. ##
    configure: WARNING: ## ------------------------------------ ##
    checking for ldap_ssl.h... yes
    checking for main in -ldl... yes
    checking for main in -lpam... yes
    checking for main in -lresolv... yes
    checking for main in -lcrypt... yes
    checking for main in -lnsl... yes
    checking for gethostbyname... yes
    checking for main in -lldap50... yes
    checking for main in -lpthread... yes
    checking for ldap_init... yes
    checking for ldap_get_lderrno... yes
    checking for ldap_set_lderrno... yes
    checking for ldap_parse_result... yes
    checking for ldap_memfree... yes
    checking for ldap_controls_free... yes
    checking for ldap_set_option... yes
    checking for ldap_get_option... yes
    checking for ldapssl_init... yes
    checking for ldap_start_tls_s... no
    checking for ldap_pvt_tls_set_option... no
    checking for ldap_initialize... no
    checking for gethostbyname_r... yes
    checking whether gethostbyname_r takes 6 arguments... 5
    checking for ldap_set_rebind_proc... yes
    checking whether ldap_set_rebind_proc takes 3 arguments... 3
    configure: creating ../config.status
    cd . \
    && CONFIG_FILES=Makefile CONFIG_HEADERS= /bin/sh ./config.status
    config.status: creating Makefile
    config.status: executing default-1 commands
    gcc -DHAVE_CONFIG_H -DLDAP_REFERRALS -D_REENTRANT -I/ldapsdk/include -g -O2 -Wall -fPIC -c -o pam_ldap.o pam_ldap.c
    gcc -DHAVE_CONFIG_H -DLDAP_REFERRALS -D_REENTRANT -I/ldapsdk/include -g -O2 -Wall -fPIC -c -o md5.o md5.c
    /usr/ccs/bin/ld -o pam_ldap.so -B dynamic -M ../exports.solaris -G -B group -lc -L/ldapsdk/lib -R/ldapsdk/lib pam_ldap.o md5.o -lpthread -lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 -lnsl -lcrypt -lresolv -lpam -ldl
    cd . && autoheader
    WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot'
    WARNING: and `config.h.top', to define templates for `config.h.in'
    WARNING: is deprecated and discouraged.
    WARNING: Using the third argument of `AC_DEFINE' and
    WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without
    WARNING: `acconfig.h':
    WARNING: AC_DEFINE([NEED_MAIN], 1,
    WARNING: [Define if a function `main' is needed.])
    WARNING: More sophisticated templates can also be produced, see the
    WARNING: documentation.
    cd . \
    && CONFIG_FILES= CONFIG_HEADERS=config.h \
    /bin/bash ../config.status
    config.status: creating config.h
    config.status: executing default-1 commands

  • Solaris 10 DS5.2Q4 with SSL/TLS with Replicaton

    I have been working on configuring DS5.2Q4 on Solaris 10 11/06. I have been successful with Gary Tay's documentation (a few changes for new syntax and svcs). My current configuration only has one ldap server and using self signed certs.
    I would now like to move to the next step of maintaining my ssl/tls but adding another master with replication.
    Here are a couple of my questions.
    1) How do I configure my clients to work with both replication master servers. I am a little confused since the certs in my client are assigned to only one of my masters. Do both masters need the same cert, or is there a way to allow for both certs to be loated on the client (/var/ldap).
    2) Enable secure replication. I have not looked too deep into this yet, but that is my plan.
    As a final note, I would like to thank Gary Tay for all of his feedback and documentation. I find that Sun often lacks step by step procedures for tasks such as this. Thanks!

    I have been working on configuring DS5.2Q4 on Solaris 10 11/06. I have been successful with Gary Tay's documentation (a few changes for new syntax and svcs). My current configuration only has one ldap server and using self signed certs.
    I would now like to move to the next step of maintaining my ssl/tls but adding another master with replication.
    Here are a couple of my questions.
    1) How do I configure my clients to work with both replication master servers. I am a little confused since the certs in my client are assigned to only one of my masters. Do both masters need the same cert, or is there a way to allow for both certs to be loated on the client (/var/ldap).
    2) Enable secure replication. I have not looked too deep into this yet, but that is my plan.
    As a final note, I would like to thank Gary Tay for all of his feedback and documentation. I find that Sun often lacks step by step procedures for tasks such as this. Thanks!

  • How Redirect browser(client) based on non-negotiable SSL/TLS protocol

    Hi guys,
    we have a security requirement wherein we required to force the browsers accessing our application to have atleast tsl 1.1 , but we don't want to simply block the request, instead we would like to redirect the request to a unsecured static html page with the
    instructions on how to get them onto tsl.
    can any one help me here?>? actually i found a similar and exactly same thread on stackoverflow but i think that is probably directed towards linux family.   http://serverfault.com/questions/591188/redirect-browser-based-on-non-negotiable-ssl-tls-protocol-or-cipher
    ps: i have posted the same question on IIS forum (http://forums.iis.net/t/1223352.aspx?How+Redirect+browser+client+based+on+non+negotiable+SSL+TLS+protocol+or+cipher+from+IIS) and got a reply saying
    that it can be done at windows kernel level(possibly by making use of
    http.sys, ksecdd.sys and schannel).
    can any one help me here guys.
    Thanks,
    Haroon 

    Hi,
    As far as I know, once SSL handshake fails, no subsequent communication would occur between the server and client.
    Therefore, as the way I see it, the goal cannot be achieved.
    Best Regards,
    Amy
    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
    [email protected]

  • WSUS Sync is not working Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. --- System.Security.Authentication.AuthenticationException: The remote

    I know there are loads of posts with same issue and most of them were related to proxy and connectivity .
    This was case for me as well (few months back). Now the same error is back. But I've confirmed that FW ports and proxy are fine this time around.
    server is configured on http port 80 
    ERROR
    Sync failed: UssCommunicationError: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid
    according to the validation procedure.~~at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request). Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WSyncAction.WSyncAction.SyncWSUS
    I've checked proxy server connectivity. I'm able browse following site from WSUS server
    http://catalog.update.microsoft.com/v7/site/Home.aspx?sku=wsus&version=3.2.7600.226&protocol=1.8
    I did telnet proxy server on the particular port (8080) and that is also fine.
    I've doubt on certificates, any idea which are the certificates which we need to look? And if certificate is expired then (my guess) we won't be able open the above mentioned windows update catalog site?
    Any tips appreciated !
    Anoop C Nair (My Blog www.AnoopCNair.com)
    - Twitter @anoopmannur -
    FaceBook Forum For SCCM

    Hi Lawrence ! - Many thanks for looking into this thread and replying. Appreciate your help.
    Your reply  ("SSL is enabled/configured, and the certificate being used is invalid
    (or the cert does not exist or cannot be obtained), or the SSL connection could not be established.") is very helpful.
    I've already tested CONTENT DOWNLOAD and it's working fine. WSUS Sync was also working fine for years with proxy server configured on port (8080) and WSUS server on port 80.
    My Guess (this is my best guess ;)) is this something to do with Firewall or Proxy side configuration rather than WSUS. However, I'm not finding a way to prove this to proxy/firewall team. From their perspective all the required port communication open and
    proxy server is also reachable. More over we're able to access internet (Microsoft Update Catalog site) over same port (8080).
    Any other hints where I can prove them it's a sure shot problem from their side.
    Thanks again !!
    Anoop C Nair (My Blog www.AnoopCNair.com)
    - Twitter @anoopmannur -
    FaceBook Forum For SCCM

  • Set-IRMConfiguration failed with error "Cou ld not establish trust relationship for the SSL/TLS secure channel."

    Hi, experts 
    I'm trying to configure a lab environment according tutorial http://www.msexchange.org/articles-tutorials/exchange-server-2010/compliance-policies-archiving/rights-management-server-exchange-2010-part3.html
    After completing configuration, I execute cmdlet Set-IRMConfiguration -InternalLicensingEnabled $true, but get error
    The remote certificate is invalid according to the validation procedure. ---> The underlying connection was closed: Cou
    ld not establish trust relationship for the SSL/TLS secure channel. ---> Failed to get Server Info from https://exhv-65
    94/_wmcs/certification/server.asmx.
        + CategoryInfo          : InvalidOperation: (:) [Set-IRMConfiguration], Exception
        + FullyQualifiedErrorId : C810E449,Microsoft.Exchange.Management.RightsManagement.SetIRMConfiguration
    Then I run cmdlet Test-IRMConfiguration -Sender [email protected] and get error
    Results : Checking Exchange Server ...
                  - PASS: Exchange Server is running in Enterprise.
              Loading IRM configuration ...
                  - PASS: IRM configuration loaded successfully.
              Retrieving RMS Certification Uri ...
                  - PASS: RMS Certification Uri: https://server1/_wmcs/certification.
              Verifying RMS version for https://server1/_wmcs/certification ...
                  - WARNING: Failed to verify RMS version. IRM features require AD RMS on Windows Server 2008 SP2 with the
              hotfixes specified in Knowledge Base article 973247 (http://go.microsoft.com/fwlink/?linkid=3052&kbid=973247)
               or AD RMS on Windows Server 2008 R2.
              Microsoft.Exchange.Security.RightsManagement.RightsManagementException: Failed to get Server Info from https:
              //server1/_wmcs/certification/server.asmx. ---> System.Net.WebException: The underlying connection was clos
              ed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authenticatio
              n.AuthenticationException: The remote certificate is invalid according to the validation procedure.
                 at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest async
              Request, Exception exception)
                 at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
              Request)
                 at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
                 at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
              Request)
                 at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
                 at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest async
              Request)
                 at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
                 at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequ
              est asyncRequest)
                 at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
                 at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Obje
              ct state)
                 at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
                 at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
                 at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
                 at System.Net.ConnectStream.WriteHeaders(Boolean async)
                 --- End of inner exception stack trace ---
                 at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
                 at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
                 at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
                 at Microsoft.Exchange.Security.RightsManagement.SOAP.Server.ServerWS.GetServerInfo(ServerInfoRequest[] req
              uests)
                 at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath
                 --- End of inner exception stack trace ---
                 at Microsoft.Exchange.Security.RightsManagement.ServerWSManager.ValidateServiceVersion(String featureXPath
                 at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.ValidateRmsVersion(Uri uri, Se
              rviceType serviceType)
                 at Microsoft.Exchange.Management.RightsManagement.IRMConfigurationValidator.TryGetRacAndClc()
              OVERALL RESULT: PASS with warnings on disabled features
    From the error message, this issue seem to related with SSL/TLS connection. So I go back to check configuration and find out a difference to tutorial. Current SCP url is https://server1/_wmcs/certification, but in tutorial it is https://server1:433/_wmcs/certification.
    On my opinion, I don't think it is the real reason.
    So, how can I resolve this error? Could you give me some suggestion? Thanks in advance.
    System Info:
    Windows Server 2008 R2 + Exchange Server 2010 SP3 RTM

    Hi
    Please have a try with the solution on this KB article
    “Error message when you try to test access from the Microsoft Dynamics CRM E-mail Router: "Incoming Status: Failure - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel"”
    http://support.microsoft.com/kb/954584/en-us
    Cheers
    Zi Feng
    TechNet Community Support

  • OD SSL (Client Binding Issues)

    Hi,
    I am having issues binding my client machines to my server. My OD has a SSL which is a standard UCC SSL, when I connect my clients it asks me if I want to trust the server I say yes then it finishes binding. I then look and see a red dot next to the OD name i just binded to, if I click on it it says server not responding. If I uncheck SSL in the ldap tab everything is perfect, but I would really like it if I could use SSL on my OD for extra protection. Anyone have any suggestions.

    Hmmm...still running into the same issue...do I need to give the cert reference text file certain permissions in order to work?
    I have followed the advice on afp548, and have a self-rolled CA with a self-assigned cert for the server, which is also the dns name of the server. I copied the CA hash and pointed to that instead of the self-signed cert hash, but still...no dice.
    -j

  • Simple bind failed: adserver:636 --  While connecting to AD from OIM

    Hi,
    I am using OIM 9102 BP 11.
    AD Connector version -- MSFT_AD_Base_91150
    App Serv -- Weblogic
    Database -- oracle 10g.
    I am trying to provision passwords form OIM to AD.
    The connector is working fine over non-SSL (389).
    I have exported the ROOT CA from AD machine and imported the same through keytool IMport command to OIM Cert Keystore,
    When i try to provision a user to AD over SSL (636), I am getting thie below exception
    ERROR,01 Feb 2011 10:08:43,509,[OIMCP.ADCS],================= Start Stack Trace =======================
    ERROR,01 Feb 2011 10:08:43,509,[OIMCP.ADCS],com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks : createUser
    ERROR,01 Feb 2011 10:08:43,509,[OIMCP.ADCS],simple bind failed: adserver:636
    ERROR,01 Feb 2011 10:08:43,509,[OIMCP.ADCS],Description : simple bind failed: <hostname>:636
    ERROR,01 Feb 2011 10:08:43,509,[OIMCP.ADCS],com.thortech.xl.exception.ConnectionException: simple bind failed: adserver:636
    at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.connectToAvailableAD(Unknown Source)
    at com.thortech.xl.integration.ActiveDirectory.tcUtilADTasks.createUser(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADCSCREATEUSER.ADCREATEUSER(adpADCSCREATEUSER.java:224)
    at com.thortech.xl.adapterGlue.ScheduleItemEvents.adpADCSCREATEUSER.implementation(adpADCSCREATEUSER.java:91)
    at com.thortech.xl.client.events.tcBaseEvent.run(Unknown Source)
    at com.thortech.xl.dataobj.tcDataObj.runEvent(Unknown Source)
    at com.thortech.xl.dataobj.tcScheduleItem.runMilestoneEvent(Unknown Source)
    at com.thortech.xl.dataobj.tcScheduleItem.eventPostInsert(Unknown Source)
    at com.thortech.xl.dataobj.tcDataObj.insert(Unknown Source)
    Can anybody please help me in this, I am trying the same since 3 days but no luck.
    STEPS to generate the Certificate from AD:
    1. Installed the Certificate Authority from Add\Remove Windows Components.
    2. Generated a Certificate Request in IIS by accessing CertSrv.
    3. Issued the same certificate and imported that to the keystore of OIM server.
    The AD is not responding over SSL (636). When I try to access the AD machine through expolrer as
    https:<adhost>:636
    Its not prompting to import the certificate. Also I am not able to connect to AD from LDAP browser.
    Request you to kindly help me on this ASAP.

    [Start of UME Service Failed |http://help.sap.com/saphelp_nw04/helpdata/en/20/361941edd5ef23e10000000a155106/frameset.htm]check this same exception got resolved..
    one more thing, Have you uploaded the LDAP servers certificate in the TrustedCAS of the keystore in Visual Admin in the WAS server? If you are using LDAP ssl the connection to the server will expect a certificate if you dont have the trust enabled you wont be able to connect
    Thanks

Maybe you are looking for

  • Removing podcast episodes from iTunes 12 but keeping the files

    I want to be able to remove a podcast episode from iTunes 12 but keep the audio file on my computer. This used to be an option, but now I am no longer asked if I want to keep the file. It's just automatically moved to the Trash. I like to archive pod

  • "itunes has stopped working" when closing itunes Windows Vista

    Since November 2007, when I close itunes, I get Windows Vista error "itunes has stopped working" This got worse when it corrupted the itunes library itl file. I deinstalled QT and itunes version 7.5, and went back to version 7.4.3.1 - but the problem

  • Applet, Frame and fullscreen

    Hi! Have an application wich is a Applet and also can run as a desktop program. The fullscreen desktop function some time ago sotpped work, now I have been testing to discover the problem and discovered the Applet does not work correctly when inside

  • No Final Cut Pro application icon visible !!

    Hi, another newbie here. I am a complete novice - I have only just gotten round to loading all the applications for Final Cut Studio (FCP is version 6 - I bought the software 2 years ago as part of a total package, and till now I have just been using

  • Why we maintain the profit centre in MM module?

    Hello, I want know, why we maintain the profit centre in MM module? Ram Rathode.