Symantec IGA

Hi,

Whenever we are trying to reset password from AD side, we are getting following errors in eta_pwdsync.log file and password is not getting rotated on IDM side.

failed

20181130.13:22:08. TID=1d20. * PasswordChangeNotify(user=johntest)

20181130.13:22:08. TID=1d20.   Password synchronization is enabled.

20181130.13:22:08. TID=1d20. * Trace: Connect request initiated.

            Administrator DN: 'eTGlobalUserName=etapwsad,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta'.

            Connection timeout: '20'.

20181130.13:22:08. TID=1d20. ! Error: eTrust Admin Server was not able to update password for 'test'.

            Reported from: .\pswdntfy.cpp:367.

            Reason:   Administrator DN: 'eTGlobalUserName=etapwsad,eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=eta'.

            Connection timeout: '20'.

            Error: ldap_simple_bind() failed for 'ldaps://10.20.30.40:20391'.

            LDAP error: Can't contact LDAP server.

            Result: Password will be out of sync with eTrust Admin.

Please help.

Bipin,

Refer the below screen print. You need to extract the updated certificate chain from LB url and create a .pem file(How to Create a .pem File for SSL Certificate Installations ) and replace the existing one under the path mentioned in "Trusted CA Bundle" field.

Hope this helps !!!

Regards

Ashok

Thank you for your response Ashok,

We already have this certificate installed.

I did notice in one of your another post that you have made some changes to LB url SSL certificate, I suspect this is what causing the issue.

I would suggest to test with non-ssl communication to isolate the issue in order to troubleshoot it.

Hi,

There is no change in SSL certificate, we just enabled SSL TLS1.1 in LB URL of IDM, after that we are seeing this password sync failure.

But this issue is new, when password sync agent is unable to contact IDM provisioning server. and When I try non-ssl, it throws protocol error.

Hello,

I suspect the trouble is with the port 20391 configured to connect through.

Provisioning server default ports :

20389 - provisioning server

20390 - SSL provisioning server router

20391 - Provisioning server router

The Password Synchronization Agents should connect Provisioning Server through 20390 (secure) or 20389 (non secure) for testing network.

When implementation includes several Provisioning Servers (HA), the Password Synchronization Agents have to be configured with alternate servers but not going the through 20391 Provisioning server router port.

Following is extract from CA IM documentation about the alternate servers setting configuration.

Configure the Agent for Alternate Servers

To configure the Password Synchronization Agent to use an alternate server, you use the Password Synchronization Agent Configuration wizard.

To configure an alternate server for the Agent

1. Run PwdSyncConfig.exe located in password_sync_folder\bin.
2. Enter the following configuration information:
   • Host
     Specify the name of the Provisioning Server system.
     This populates the Server URL field with the host name you specify.
   • LDAP port
     Specify the LDAP port used to connect to the Provisioning Server is 20390. Change this port as required if your Provisioning Server installation uses a non-default port.
3. Click the Find domain button to retrieve the Provisioning Server Domain.
4. Add the host name and port of the alternate servers in the Server URLs field using the following format:
   ldaps://primaryhost:20390,ldaps://alternatehost1:20390
5. Click Next.
6. Complete the remaining fields in the configuration wizard.

Remember to check the configured Administrator DN (eTGlobalUserName=etapwsad) is not disabled or locked.

Best Regards, Laurent

Hi,

I'm happy to inform you that, we have fixed this issue now. Can't connect LDAP server was due to SSLv2Hello protocol handshake error with the server. We upgraded our password agent to version 12.6.8 to support higher standard protocol and it worked.

Thank you all for your help.