HPE OneView
1839268 Members
2858 Online
110137 Solutions
New Discussion

Re: HPE Oneview openldap

 
ditidiapl
Occasional Advisor

oneview openldap

Hello,

I'm trying to configure openldap on oneview but when I insert the server certificate the system says that:

The certificate entered for server 192.168.252.155:389 does not appear to be a valid certificate.

I'm very confident that the certificate is valid... How to debug this error to find out why I'm receiving this message?

All my settings:

Model HPE OneView VM - VMware vSphere
Firmware Version 3.10.04-0299553
Date Jun 9, 2017

My openldap port is 389 and it uses TLS (Is oneview using TLS too?)

Thanks

 

 

12 REPLIES 12
Dennis Handly
Acclaimed Contributor

Re: HPE Oneview openldap

Have you tried checking your cert on a cert checking website?

A message saying "not valid" isn't particularly helpful, more details would help.

ditidiapl
Occasional Advisor

Re: HPE Oneview openldap

Hello Dennis

The certificate is self-signed

The certificate is OK because others services connect normaly to ldap using TLS.

My ldap-server works on port 389 using TLS, I don't know if  Oneview supports TLS.

The only thing that oneview shows is:

The certificate entered for server 192.168.252.155:389 does not appear to be a valid certificate.
For assistance, contact your administrator.

My ldap certificate is bellow if you wanna test, and it looks ok:

> openssl x509 -in /tmp/ldap-consumer.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1376575537 (0x520ce031)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=UFFS
Validity
Not Before: Aug 15 14:05:37 2013 GMT
Not After : Aug 10 14:05:37 2033 GMT
Subject: O=UFFS, CN=srv-ldap-consumer-01.uffs.edu.br

....

 

-----BEGIN CERTIFICATE-----
MIIC6TCCAaGgAwIBAgIEUgzgMTANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRV
RkZTMB4XDTEzMDgxNTE0MDUzN1oXDTMzMDgxMDE0MDUzN1owOjENMAsGA1UEChME
VUZGUzEpMCcGA1UEAxMgc3J2LWxkYXAtY29uc3VtZXItMDEudWZmcy5lZHUuYnIw
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKPl4hksCzKMvVgh5C9vm2tp3xll
ZUmHumIYCqoqFsDl+30ry+FypTbBWvJRHp4sfK3Q0MgQw8nBL+PzJJ4MnG/A5vuo
KHeQ4rPpAIK8kkI1yrZMMg3SPNUtUyqz+FxtvbFJm0qREEkTYMvPyZ4ZuVlmjTP/
Cq72tTa7PyxuXkO3AgMBAAGjdjB0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYI
KwYBBQUHAwEwDwYDVR0PAQH/BAUDAwegADAdBgNVHQ4EFgQUDUVQ0MUtmZxmMNA7
B85gS8CC6vQwHwYDVR0jBBgwFoAUhywqJ9iLCh9BvD3THAhmgoaZCVcwDQYJKoZI
hvcNAQELBQADggExAJH6QRyU/gTTc8Xfk87YfFLu4F+HBQUydQ5jiGfsywUO8VO2
7j0LvZ1lDN4xBVa9zOvmBgWs9W13X8MzR/HSSy0AvcncrOZDSl8lTPh7DvylqUQ5
K5QY48QqWfIDn5eTRtsrxDWbjirTg09LRVkiI8Gl8PP2OMqDP7TqHFO+7Poz9OVB
yjhlnDgDmMVjQ3/LOS7e9M/qL48F93YOSiG6ncu9ebk4f43wdUnbSyWYdr9HjhAc
WWjW5+X0XfkXrfTfZnr+NgHglPTzFvb9qA6lZSNW7b9BHJpKVIOPFgGAQqxXRiIB
C5kXEVBKTUrFfEFpTQwW0Lx4+VJUqauSCrFkzGBrOJD/91Mg26dpNzy+CDdkDGIr
JmZVwpCVdYe14zSKi8N8gCtIMtkV4Qus2i6Fy9A=
-----END CERTIFICATE-----

 

Thanks..

ChrisLynch
HPE Pro

Re: HPE Oneview openldap

Yes, OneView does support TLS in many places.  I see your cert does have the "Server Authentication" extension set.  I will look into this and report back.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Dennis Handly
Acclaimed Contributor

Re: HPE Oneview openldap

>The certificate is self-signed

 

It's not self-signed.  I.e. the Issuer and Subject don't match:

        Issuer: CN=UFFS

        Subject: O=UFFS, CN=srv-ldap-consumer-01.uffs.edu.br

You didn't post your CA so I can't verify it.

As Chris says you have these extensions:

        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier:
                0D:45:50:D0:C5:2D:99:9C:66:30:D0:3B:07:CE:60:4B:C0:82:EA:F4
            X509v3 Authority Key Identifier:
                keyid:87:2C:2A:27:D8:8B:0A:1F:41:BC:3D:D3:1C:08:66:82:86:99:09:57

ditidiapl
Occasional Advisor

Re: HPE Oneview openldap

Hello

The first certificate that I have posted is not actually our main ldap server. But I have tested with our ldap main server and it gives the same error.

This is the certificate of our main ldap server

-----BEGIN CERTIFICATE-----
MIIDPzCCAfegAwIBAgIEU+4I3zANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDEwRV
RkZTMB4XDTE0MDgxNTEzMTkyN1oXDTQyMTAyNzEzMTkyN1owDzENMAsGA1UEAxME
VUZGUzCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExAODy5VlhB525BJCy
HD49mw8k9nljW/C0Z9wbwAa7BaYidU6WseezwsW0XKgB1cxKRCEfFt5TvAUxLUmk
rqR4FlDj23zGkQN9jIuKIvTuX6xhmDcoJdzbKhE6WYbEbYZTWPBQB3rumhqqrZk1
yQGeGWDQ97ki+tbaY2RBLpSUoI8r3FHzXMfDm8ncrKA7nIl71JUSib6YSkoMePix
A9CtLRc6NBmFZ9gPVv3MC/AbZIUzSKmVpfGXlkYXWao49cmOngMJppZOiKL16TAM
hPZ9vEctCcaHY1oFJQTSZFmgRqhxM+MHNDePnxZrCalSo5EyLfLRfMqEBfgv6Zw4
HbdlrqR6qDB3fdNBKSSEGD2UUuNJdFCr3FjSbvzqYOgMTYtGuwJYjTMJzxc/9pN1
QMyRwXMCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA
MB0GA1UdDgQWBBSHLCon2IsKH0G8PdMcCGaChpkJVzANBgkqhkiG9w0BAQsFAAOC
ATEAQan3jtFsOobn+HqOtQUxSyN4Fw+pmYTSCqeF3NfQnsqQnbaby/sO2QQl2kMF
Csv0jyOa3H1+1OnSqqB5Di8G1gs6JxFWpawDSvdu8MrfiOMkOjFvWFOAK+OX1vox
5aVKOFsMvPosjQo88YjnVCXCBtOrr+wsaXcKzDEWYEO01uVBcfV9+pzeYSBXVq7t
VwPLCNEfu/1wgeEtqvkTC8hxXEh4r28X28Hop6WhlIC5YBfmateXkXFfia0wKkW3
mhzm4iQlAmLZIgTpjadDcMljHKJeB7EOGERtytG0a18DQW6W19rxy3L+ius5eQNX
8evSty0kL7GX64swCgi/jWJGkY/d6c7kgceLDZmpAP1vXOzuTNMQDp9jPFIV91iJ
45tQjJC38VVXLEct3c9lRxW1bg==
-----END CERTIFICATE-----

This certificate is used by various systems and they connect successfully to our ldap server using tls on the port 389

But it is not working with oneview:

The certificate entered for server 192.168.252.154:389 does not appear to be a valid certificate.

 

This certificate is valid:

# openssl verify cacert.pem

cacert.pem: CN = UFFS
error 18 at 0 depth lookup:self signed certificate
OK

How to find out more information why oneview is not accepting this certificate?

Thanks

 

ChrisLynch
HPE Pro

Re: HPE Oneview openldap

So, why are you using 389 for secure LDAP? The proper port is 636.

Sent from my Windows 10 phone
I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
ditidiapl
Occasional Advisor

Re: HPE Oneview openldap

Our server is LDAPv3 and uses StartTLS on port 389. 

More information: http://www.openldap.org/faq/data/cache/605.html

 

 

ChrisLynch
HPE Pro

Re: HPE Oneview openldap

Yes, I am aware of that. The docs you linked to state:

It requires use of separate port, commonly 636.

So, trying to understand why you are using the unsecure port (389/tcp) for secure traffic.

Sent from my Windows 10 phone
I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
ditidiapl
Occasional Advisor

Re: HPE Oneview openldap

Using TLS the comunication is encrypted so it is Secure.

But the server allows comunication without TLS (that is insecure) because some information is not sensitive like consulting the user catalog by an e-mail client or who is calling by our telephone system.

Systems that consult sensitive information like autentication we configure them to use TLS...

 

ChrisLynch
HPE Pro

Re: HPE Oneview openldap

Apologies for the late reply.  StartTLS is not the same as Secure OpenLDAP, and unfortunately, HPE OneView does not support today.

I work at HPE
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Dennis Handly
Acclaimed Contributor

Re: HPE Oneview openldap

> This is the certificate of our main ldap server

 

Yes, that's the CA for your other cert.  openssl likes them.

But this seems odd: Public-Key: (2432 bit)

Hmm, I thought they only came in powers of two?  I.e. 2048.

But I see google finds a few mentions.

 

ditidiapl
Occasional Advisor

Re: HPE Oneview openldap

Thanks for you support

Since starttls is not currently supported by oneview we will create users manually in the server.

I hope someday oneview will be updated to recognize starttls because ldaps is deprecated

ldaps:// is deprecated in favor of Start TLS [RFC2830]. reference