Microsoft is enforcing LDAPS for active directory services. https://www.heise.de/newsticker/meldung/Microsoft-stellt-Domaincontroller-langsam-auf-LDAPS-um-4666079.html

So we have to configure all ivyEngine user synch connections to use LDAP(S). How can this be done? Simply enabling 'SSL' option doesn't seem to be enough.

We have multiple workflow app on differen ivyEngine (4.3, 5.1, 7.0) versions in use. Is there a generic approach to use that works als in older environments?

asked 29.04.2020 at 05:39

SupportIvyTeam's gravatar image

SupportIvyTeam ♦♦
1.4k102118122
accept rate: 77%

edited 29.04.2020 at 06:25


The approach below still works, but there is an update to this question for newer versions of Ivy on our new community page:

https://community.axonivy.com/d/58-how-to-migrate-active-directory-connection-to-ldaps-ssl

The generic approach that should work in any ivyEngine:

1. Set the SSL Debug flag

Set the JVM system property -Djavax.net.debug=all to debug SSL connections . https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html

2. Determine the truststore in use

The truststore that contains the accepted certificats of your engine runtime must be identified. The location differs according to your operating system and ivyEngine version (JVM version). Analyse the Axon.ivy console log and find the log entry exposing your 'truststore' . E.g. ( jre/lib/security/cacerts or jre/lib/security/jssecacerty ) alt text

3. Add Certificates to Truststore

Add all parent certificates of your LDAP(S) server to the truststore using the keytool availalbe in the JRE/lib/bin of the engine being used. Sample:

jre/lib/bin/keytool -importcert -file zugtstdirads.cer -keystore jre/lib/security/cacerts -storepass changeit -alias zugtstdirads

You may use a GUI such as https://keystore-explorer.org/ to verify that certificates have been propertly added. But that should just be used for verification. Adding certificates with this tooling may lead to corrupt truststores (and the engine/HTTPS connctor no longer starts correctly).

3.2 Verify, that the issuer of your certificate is in the truststore. In most cases you have to add internal company CA certs that will finally link to a ROOT CA Issuer.

alt text

4. Enable SSL connections

... for your Active Directory security system

  • ivy8: Engine Cockpit -> Security Systems -> YourAd -> Enable 'SSL' + and adjust the URL port (636)
  • ivy 7 an older: Admin UI -> Your App -> Edit Active Directory -> Enable 'SSL' with the checkbox.

alt text

5. Trigger the synchronization

If the connection is not working: check the Axon.ivy console.log for SSL debug output. In most cases a certificate in the chain is missing.

As a first step: Verify that your added certificates appear in the list of trusted certs: alt text

See point 3.2 to analyze the cert-chain.

NOTE: At the end, do not forget tor remove the -Djavax.net.debug=all entry from the configuration file once everything is OK, and then to restart the engine, otherwise you will encounter performance problems.

link

answered 29.04.2020 at 05:48

Reguel%20Wermelinger's gravatar image

Reguel Werme... ♦♦
9.4k31958
accept rate: 70%

edited 17.02.2021 at 06:59

SupportIvyTeam's gravatar image

SupportIvyTeam ♦♦
1.4k102118122

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×19
×4
×1

Asked: 29.04.2020 at 05:39

Seen: 3,992 times

Last updated: 17.02.2021 at 06:59