Micro Focus iPrint Appliance 4.2
With a source LDAP server of OES 2015 SP1 and after updating the iPrint Appliance with the SLES updates (which were available as of 30AUG2021), LDAP synchronizations stop working. No users or groups are able to import and existing user authentications fail.
iprint-auth shows the following error:
[DATE] ERROR UserCoordinator:140 - syncUsers() threw an exception:java.lang.RuntimeException: javax.naming.CommunicationException: ldapservername:636 [Root exception is javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS12]]at com.microfocus.service.iprint.auth.sync.ldap.LdapSearch.iterator(LdapSearch.java:188)
There are 3 options to approach this issue. Some of these options are listed as a temporary workaround until the LDAP source server can be upgraded to a supported version.
- Change to use LDAP instead of LDAPS
- Go to the :9443 tool, click Manage iPrint Appliance, click Identity Sources, click the Directory Server configured for the Appliance, change the LDAP Server URL from ldaps:// to ldap:// and change the port from 636 to 389. Save the change.
- Change LDAPS server to point to an OES 2018 SP2 or later server.
- Use similar steps listed above. Instead of pointing to the OES 2015 server, point to the OES 2018 server. Import the certificate from the OES 2018 server into the Appliance.
- If you need time to upgrade your source LDAP server to OES 2018, you can revert your iPrint Appliance snapshot prior to the update so users can authenticate and new users and groups can be imported. The update to 4.2 introduced the requirement of the source LDAP server not use TLS 1 or 1.1.
- Disable the enforcement of the newer OpenSSL TLS 1.2
- Note: this workaround is not recommended as earlier versions of TLS have security vulnerabilities. But, this can be used temporarily until you have time to implement one of the above solutions.
- Backup the /usr/lib64/jvm/jre-1.8.0-openjdk/lib/security/java.security file and remove the TLSv1, TLSv1.1, entry from the jdk.tls.disabledAlgorithms directive. These two steps can be accomplished by pasting the following sting of commands into an SSH session:
- cp /usr/lib64/jvm/jre-1.8.0-openjdk/lib/security/java.security /tmp/java.security;sed -i 's/ TLSv1, TLSv1.1,//g' /usr/lib64/jvm/jre-1.8.0-openjdk/lib/security/java.security
- Restart the iPrint Appliance server.
- Once you are ready to implement one of the above (more recommended solutions), you can revert back to enforcing TLS 1.2 by pasting in the following command and restarting the iPrint Appliance server.
- cp /tmp/java.security /usr/lib64/jvm/jre-1.8.0-openjdk/lib/security/java.security /tmp/java.security
One of the latest updates is java-1_8_0-openjdk-headless-188.8.131.522-27.63.2.x86_64. This version disables TLS 1 and TLS 1.1. The source OES 2015 SP1 server's version of OpenSSL does not support TLS 1.2. This causes the TLS negotiation to fail.