Symantec Access Management

  • 1.  CA Directory : Connect logs

    Posted Nov 12, 2018 09:59 AM

    Hi all,

     

    Just wanted to understand which SSL version does the below DSA Connect log refers to.

    There are 2 types of logs being printed, one with an explicit SSL version and the other one as blank.

    e.g., First one refers TLSv1.2.

    What does the 2nd one refers to, is there any default version ?

     

    CONN #12345 "cn=user1,ou=abc,o=org" 100.100.100.100:789 PASS(SSL: TLSv1.2)
    CONN #12346 "cn=user2,ou=abc,o=org" 100.100.100.100:789 PASS(SSL: )

    Regards,

    Anurag



  • 2.  Re: CA Directory : Connect logs

    Posted Nov 13, 2018 04:25 AM

    HubertDennis , Could you please help here ?

     

    Regards,

    Anurag



  • 3.  Re: CA Directory : Connect logs

    Posted Nov 13, 2018 10:35 AM

    K.Anurag

     

    Could we know what version of CA Directory is this ?

     

     

    Could be possible this is the issue. As per R14.0 Defect Fixed Summary, Refer 01094513 / DE374490 [Direct connection to data dsa over TLS does not show-up in connect log].

    14.0.01 Defect Fixes - CA Directory - 14.0 - CA Technologies Documentation 

     

     

    By default it is TLS and specifically TLSv1.2.

    set ssl Command -- Configure SSL - CA Directory - 14.0 - CA Technologies Documentation 

    Which TLS Ciphers are used by CA Directory DSAs? 

     

    Regards

    Hubert



  • 4.  Re: CA Directory : Connect logs

    Posted Nov 14, 2018 05:54 AM

    CA Directory version is 12.0.18.

     

    Regards,

    Anurag



  • 5.  Re: CA Directory : Connect logs

    Posted Nov 14, 2018 08:42 AM

    Also, We have a Dev Instance of CA Dir 14.0.1, where the connection log prints the respective SSL Version for all the users/service account trying to connect over ldaps.

    It is this version 12.0.18 only where we have observed that connection log is printing the SSL version for only a specific user AND when the SSL version is always TLSv1.2.

    For rest all users it prints blank for the SSL version.

     

    Does it mean that those accounts are connecting over an SSL version other than TLSv1.2, and due to an existing defect connect log is not able to print the value of other versions ?

    In that case how do we know which SSL version is it connecting over ?

     

    Regards,

    Anurag



  • 6.  Re: CA Directory : Connect logs
    Best Answer

    Broadcom Employee
    Posted Nov 14, 2018 11:23 AM

    Are you by any chance using role-based configuration? If yes, is it possible for the user where you DO NOT see protocol version written in connect log is part of that while for the other users where you DO see protocol listed as TLSv1.2 in connect log has no role assigned?

     

    If the answer to above is yes, this was a cosmetic (not a defect) problem which we found in 12.6 version and fixed. So it seems like you are hitting the problem. Also the fact, as fixes are cumulative in nature, it made it to 14.0 release where you confirmed not seeing this problem while 12.0 version is scheduled to go EOS (End Of Service) on Feb 28, 2019... we didn't port the fix back to 12.0 code line as there are no further SP (Service Pack) planned for this release.

     

    In short, the connection is still made over TLSv1.2 protocol but the user being part of role-based config, it is not reflected correctly in connect log hence it shoes PASS(SSL: ) only and not PASS(SSL: TLSv1.2)

     

    Hope this helps.

     

    Thanks,

    Hitesh



  • 7.  Re: CA Directory : Connect logs

    Posted Nov 15, 2018 04:15 AM

    Yes we are using role based configuration and the user where we see SSL Protocol printed is not a part of any role. Thank you for your help HubertDennis and Hitesh_Patel.

     

    Regards,

    Anurag



  • 8.  Re: CA Directory : Connect logs

    Posted Nov 16, 2018 06:09 PM

    Experts,

     

    Configured CA DIR 14.0 and able to access and create the dsa's via management UI. Trying to connect to these stores via jxplorer / apache directory studio ldap browsers. 

    What is the userDN that i have to use to connect ?

     

    Using  "uid=dsa" and its associated password gives me error - invalid cred's

     

    inputs appreciated !