Environment
Situation
While creating an Active Directory user store, if TLSv1.2 is disabled on Active Directory and one selects to use secure LDAP connection, both the "Validate" and "Auto import trusted root" options inside of the "Server Replicas" section fails.
If the configuration is pushed to the IDP, authentication will still work even though the "Validate" option fails with a message "connection reset"
Resolution
Disable TLv1.2 which will force TLSv1.1 for all outbound connections from the Admin console:
- On the Admin console, edit /opt/novell/java/jre/lib/security/java.security
- Add TLSv1.2 to jdk.tls.disabledAlgorithms. "jdk.tls.disabledAlgorithms=SSLv3,TLSv1.2"
- Restart novell-ac service. Run "/etc/init.d/novell-ac restart"
Cause
The Admin Console uses the highest TLS version available for outbout communication. However, if the TLSv1.2 is disabled on the ldap server, certains options won't work.
The IDP will try communication with the ldap server using both TLSv1.2 and TLSv1.1
The Admin console only tries with the highest protocol available, TLSv1.2