Symantec Access Management

  • 1.  Unable to connect to LDAP after disabling SSL2.0/3.0 and TLS 1.0 at AD

    Posted Oct 08, 2018 01:03 AM

    Hi All,

     

    I am facing an issue wherein after AD disabled SSL 2.0, 3.0 and TLS 1.0 at their end, the policy server is not able to make a LDAP connection. I checked and found that the current version of Policy Server that I am using is not compatible with TLS 1.1 and TLS 1.2 and since SSL is disabled the connection is failing.

     

    Now as per the details TLS 1.1 and 1.2 were enabled after version 12.52 SP1 CR7 and the version I am using is 12.52 SP1 CR1. I would like to know on how can I upgrade from 12.52 SP1 CR1 to 12.52 SP1 CR7.

     

    If someone can share the details as to what all is required for the upgrade, and if it is a simple patch upgrade which can be done on the existing setup without affecting or change required on the connected systems.

     

    PFB the details of the existing setup that I am on,

     

    Policy Server version: 12.52 SP1 CR1

    OS: Solaris 11

     

    Regards,

    Pankaj Sharma



  • 2.  Re: Unable to connect to LDAP after disabling SSL2.0/3.0 and TLS 1.0 at AD

    Posted Oct 08, 2018 03:24 AM

    Hi Pankaj,

     

    You are correct, TLS 1.1 and 1.2 is supported since R12.52 SP1 CR07, and to upgrade from R12.52 SP1 CR01 to CR07, it is not like a whole release upgrade, but the components can be upgraded separately as they support other components on the same release in different CR (as covered in the Platform Support Matrix), except the AdminUI which is highly recommended to have the same CR as the Policy Server.

     

    Tech Tip - CA Single Sign-On:Policy Server:Does Policy server supports TLSv1.1/TLSv1.2 protocol for LDAP connectivity with Policy Store/User Store 

    R12.52 Platform Support Matrix 

     

    So to upgrade Policy Server you should stop it, perform the upgrade, and also upgrade the Policy Store as between CRs sometimes there are some enhancements and fixes that includes some changes to existing objects, and therefore using upgrade tools as per documentation is recommended (XPSDDInstall, XPSimport for the default objects, etc), as this step is harmless and will only modify existing objects if they are updated on this CR, or if they are damaged/missing.

     

    Upgrading - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    Anyway, it is always recommended to have all components in the same version and CR, but you have more flexibility to apply the CR07 to other components as they are supported as mentioned above.

     

    Hope it helps!



  • 3.  Re: Unable to connect to LDAP after disabling SSL2.0/3.0 and TLS 1.0 at AD

    Posted Oct 08, 2018 09:37 AM

    Hi Albert,

     

    Thanks for the info.

    Can you please let me know if Policy Store upgrade is required even in the case where in the Policy Store is setup on a different set of servers on which I have CA Directory installed.

     

    Also, at my end I have Policy Server installed on Admin UI as well on Windows servers, is an upgrade on that Policy server and Admin UI.

     

    Regards,

    Pankaj Sharma



  • 4.  Re: Unable to connect to LDAP after disabling SSL2.0/3.0 and TLS 1.0 at AD

    Posted Oct 08, 2018 09:59 AM

    Yes, regardless of the location of the Policy Store (in the same box or another) it is needed.

     

    Best regards



  • 5.  Re: Unable to connect to LDAP after disabling SSL2.0/3.0 and TLS 1.0 at AD

    Broadcom Employee
    Posted Oct 08, 2018 10:48 AM

    Pankaj, Policy Server and AdminUi, as well as Policy Store, should be at the same version level (upto the CR) to get the best results.

    - Rgds., Vijay



  • 6.  Re: Unable to connect to LDAP after disabling SSL2.0/3.0 and TLS 1.0 at AD

    Broadcom Employee
    Posted Oct 08, 2018 03:18 PM

    Just to add to the conversation, the End of Life for 12.52 is rapidly approaching.

    End of Service Announcement for CA Single Sign-On r12.52 (includes all Service Packs and Cumulative Releases) 

     

    You should start planning on upgrading to a later release as soon as you can. That said, another option is to open a Support ticket and request the upgraded NSS libraries, 3.30.2 for 12.52 SP1.

     

    It depends on your upgrade schedule. The preferred method is to upgrade to a later release or CR as you will pick up many other fixes as well. But if you are limited in the timing or amount of upgrades you can perform before the EOL date, upgrading the libraries might be the best method to buy you time on 12.52 until you can upgrade to 12.7 or 12.8.

     

    Hope this helps!



  • 7.  Re: Unable to connect to LDAP after disabling SSL2.0/3.0 and TLS 1.0 at AD

    Posted Oct 12, 2018 03:41 AM

    Thanks to all for the suggestions.

    We have been able to resolve the issue by upgrading the Policy Server version.

     

    Regards,

    Pankaj Sharma