Solved: AD-LDAP access over SSL is not working

FureyaAtaker · ‎05-19-2009

We have CUCM 6.13.1000-16.

We are having a problem using SSL during LDAP directory and end user authentication.

Does SSL also require certificate on the client (CUCM server) site to work? If yes, where can I can more information for the requirements?

Or are there any issues accessing Active Directory (Win2003) LDAP over SSL with CUCM 6.13 platform?

Thanks for the info.

htluo · ‎05-19-2009

You need to install the CA cert on CUCM as directory-trust cert. (go to CUCM OS Admin > Security > Certificate Management)

Thanks!

Michael

View solution in original post

htluo · ‎05-19-2009

You need to install the CA cert on CUCM as directory-trust cert. (go to CUCM OS Admin > Security > Certificate Management)

Thanks!

Michael

FureyaAtaker · ‎05-19-2009

Thank you!! Got it.

I was also reviewing the OS-Admin guide. I came across the same info. However, i wasn't sure about the directory-trust part.

Thanks again for the quick response.

Fureya

MARK BAKER · ‎08-18-2009

I hope it's not too late to revisit this issue.

I just uploaded our root cert as a directory-trust and then checked the use ssl box on the LDAP server configuration. I keep getting a connection error when I submit it. I wanted to ask you what port you used for the connection? I used the default 389 and also 636.

Your assistance is greatly appreciated.

htluo · ‎08-18-2009

A common mistake is to use IP address in the CUCM LDAP configuration while the LDAP certificate has the FQDN as CN (Common Name).

Due to the security design of SSL, the requested URL has to match the certificate CN.

Go to CUCM > System > LDAP to see if you're using IP address or FQDN.

Michael

http://htluo.blogspot.com

MARK BAKER · ‎08-18-2009

I was indeed using an IP address. I have changed to the FQDN, but still get the same error.

javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

I get this error on both callmanager v7 and Unity Connection v7.

I read another post that stated the Tomcat service needs to be restarted before it will work. I will be trying this tonight.

NOTE: I am using TCP 636 for the SSL connection.

Thanks,

Mark

htluo · ‎08-18-2009

That is correct, you need to restart Tomcat.

Also, make sure you upload the CA cert as "Directory-Trust" (you don't need to upload the LDAP cert). For example, the CA cert was "ca.verisign.com", the LDAP cert is "ldap.mycompany.local". You should upload the Verisign one instead of the LDAP one.

Michael

MARK BAKER · ‎08-18-2009

htluo,

Thanks for your help. Changing the IP to the FQDN and restarting the Cisco Tomcat service allowed me to configure SSL for the LDAP integration.

Configuration steps:

1. Exported the interprise CA root certificate and then converted it to a PEM file using OpenSSL program.

2. Uploaded the enterprise CA root certificate to callmanager as a directory-trust certificate.

3. Restarted the Cisco Tomcat service.

4. Changed the LDAP server reference from IP address to FQDN.

5. Changed the TCP port from 389 to 636.

6. Submitted.