CUPS LDAP Authentication with SSL

William Bell · ‎02-17-2009

Greetings,

I am having an issue getting CUPS to properly support LDAP Authentication with SSL.

Environment:

CUCM version 6.1(3)

CUPS version 7.0(2)

LDAP Solution: Microsoft Active Directory 2003

Summary:

I have been able to get CUCM and CUPS to authenticate against LDAP using port 389 (non-SSL). I am also able to get CUCM to authenticate using port 636 (SSL). However, CUPS does not work correctly when the LDAP authentication on CUCM is configured to use SSL. I have uploaded the same root certificate to CUCM and CUPS. I have tested with https://cucmserver/ccmuser and https://cupsserver/ccmuser as well as with Unified Personal Communicator. LDAP works and LDAP over SSL does not.

I ran a network capture on both the CUCM and CUPS servers. In both traces, the transactions are basically the same:

1. tcp handshake (syn syn ack)

2. cucm/cups --> LDAP (Client Hello)

3. some exchange of TCP messages (same on both traces)

4. LDAP --> cucm/cups (Server Hello, Certificate, Certificate Request, Server Hello Done)

It is at this point where things are different. With CUCM, the CUCM server initiates client key exchange. With CUPS, the server sends an alert message (Alert: level fatal, Internal Error (80)).

So, I am somewhat at a loss. Obviously the issue is with the certificate and it is also obvious that CUPS wants a different certificate than what I have loaded on CUCM. I have loaded the exact same certificate file on both. I have generated separate certificates, I have also downloaded the CUCM version of the cert and imported it into CUPS. All to no avail.

Any thoughts on what could be wrong? Am I supposed to use a different certificate? (note: the certificate is the root CA for the DC server) Any logs/traces/etc. that I can look at to see what the "internal error" is?

Thanks and regards,

Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

htluo · ‎02-17-2009

You should be using the same cert on CUCM and CUPS.

If it works on CUCM but didn't work on CUPS, I would guess something is different on CUPS.

Here are some things to check:

1) Make sure you restart Cisco Tomcat after loading the cert on CUPS.

2) Make sure CUPS was able to resolve the FQDN of the LDAP server.

If both items look good, you may collect traces and upload them here:

1) On CUPS command line:

utils network captures cups count 100000 size all host all 192.168.1.100

Where "192.168.1.100" is the IP address of the LDAP server.

2) Try to log in to http://cups/ccmuser. It would fail as you described.

3) Press Ctrl-C on CUPS command line and type the command below:

file get activelog platform/cli/cups.cap

You'll need a SFTP server to receive the file.

4) Use RTMT to collect "Cisco Tomcat Security Logs" from CUPS. Make sure the time frame covers the time of the login attempt (step 2)

Upload sniffer capture, Tomcat Security log and the certificate here. I'll take a look.

Michael

http://htluo.blogspot.com/

William Bell · ‎02-20-2009

Michael,

Thanks for the reply. I am still having the issue but I am opting not to upload the certificate to this open forum due to the sensitive nature of the content in the certificate.

I did restart services and I even reloaded the hosts (we are still in build phase on the hosts, no production users).

So, my question is should I post traces and logs without the cert or is that useless information?

Regards,

Bill

HTH -Bill (b) http://ucguerrilla.com (t) @ucguerrilla

Please remember to rate helpful responses and identify

htluo · ‎02-20-2009

You may post the traces here.

Michael