Problem with HP Device Manager 5.0 LDAP connection

dbennettdenver · ‎07-03-2019

Hello, having bad problems getting LDAP to work on HPDM 5.0. We have 4.7 working fine on an aging server, so we're putting in 5.0 on a new server to replace it. But LDAP is messed up. Doesn't matter if TLS is on or off*, doesn't matter if I use Active Directory as server type or General LDAP with DN format user (like our 4.7 is set up). Or what DC I connect to; they are all 2008R2. Several times, it has worked. 90 percent of the time, it does not and gets the following error:

>Test Failed

>Unknown Console to Server communication failure. Console to Server communication timeout.

*Edit -- I'm wrong, now working with Encryption set to None and a restart of service. I'm guessing cert issue of some kind, tho not sure why it works fine in 4.7 and not 5.0. Yes I "got key from host" and it said successful. I might fool around with manual import of cert(s) I'm sure our security team would like this.

version: 5.0.3610.35437

Found your log creator-- could this be the issue?

From hpdm-server:

2019-07-03 13:35:38 [89)-x.x.x.x] WARN LDAP - Failed to get netbiosname from domain: null
2019-07-03 13:35:38 [89)-x.x.x.x] WARN LDAP - java.lang.NullPointerException

From hpdm-console

019-07-02 16:53:23 [WT-EventQueue-0] WARN ConsoleUtil - the input component is null!
2019-07-03 13:37:37 [pool-1-thread-2] WARN Console - RMI message [40403] interruptred.
2019-07-03 13:37:37 [pool-1-thread-2] WARN Console - java.lang.InterruptedException: Console to Server communication timeout.

JasonShi · ‎07-09-2019

Please make sure the network connection between HPDM Server to HPDM Console & AD Server are reachable.

I am an HPI Employee.
My opinions are my own, and do not express those of HPI.
**Click the White Thumbs Up Button on the right to say Thanks**

Allamer11 · ‎08-14-2019

Committing as we too ran into this same exact issues without a resolution.

Our issue occurred after upgrading our environment from HPDM 4.7 SP11 to HPDM 5.0. The only difference from @Dbennettdenver post is that we only get the last two WARN Console lines in our hpdm-console log. Logging is set to DEBUG.

Network connectivity has been confirmed.

Through a different third-party LDAP application we noticed with a Wireshark capture that there was a user certificate request made by the server. Thinking that this might be the certificate issue we went through the process of obtaining and getting a user certificate for the service account we use for the LDAP connection/HPDM Server service. However, this didn't correct the problem and appeared more third-party specific.

I can confirm the "10% it works, 90% it doesn't" previous description. During testing we have set encryption to None, Applied changes, and restarted services. Tests will work. Then we will configure TLS on 389, Apply changes, and restart services. Then sometimes tests will work but after the second successful test all tests after that will timeout.

One time we got the following error message:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find validate certificati

A little research pointed this issue at the JVM cacerts file as not having the CA cert that you use to authenticate through LDAP. We noticed that the JVM directory had changed from being in the HP Device Manager directory to now being in two locations. One in the Console directory and another in the Server directory. Using keytool we listed out the certs in both cacerts files and did not notice our CA cert. We imported our CA cert into both cacerts files, restarted services, but still continued to have this issue. Only two times out of all of our failed tests did we get the PKIX error. None since importing our cert.

We have been forced to keep the encryption to None until a resolution can be found.

zactime · ‎10-31-2019

In the Admin Guide for 5.0 page 188 talks about the Get Key From Host. Is this the Domain Controller's key or a key specific for the hp device manager?

JasonShi · ‎10-31-2019

Hi Zactime,

It is a certificate retrieved from LDAP Server to enhance the communication between HPDM and LDAP Server.

I am an HPI Employee.
My opinions are my own, and do not express those of HPI.
**Click the White Thumbs Up Button on the right to say Thanks**

zactime · ‎11-05-2019

Thanks for the response JasonShi. I was able to import the key with the SSL option and the port 636. The import option did not work when I choose TLS with port 636.

Allamer11 · ‎11-07-2019

All,

HP's R&D has identified a security negotiation issue that is causing the TLS LDAP connection problems.

We received a patch from HP and confirmed that it addressed the issue.

This patch will be available in the HPDM 5.0 SP1 release. Which was originally pulled after release, but will eventually be available. In the mean time, you have the option of reaching out to your HP rep and asking for the patch.

Create an account on the HP Community to personalize your profile and ask a question