HCL Notes and Domino 9.0 Social Edition Forum

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal

Share ▼
Subscribe ▼

~Tate Kikigengon

May 20, 2015, 7:10 PM

39 Posts

DA LDAP on Port 636 error

Category: Administration
Platform: Windows
Release: 9.0.1
Role: Administrator
Tags: ldap da
Replies: 7

Hi all,

Our Domino server wants to browse user directory on partner orgaization using LDAP. Partner is also using Domino. SSL is mandatory.

Steps performed:

1) Firewall opened

--- A third party LDAP browser (on same machine as Domino server) can successfully connect to partner organization using SSL on port 636 and we browser the directory

2) Root Certficate from partner extracted using openssl

--- C:\Temp>openssl.exe s_client -connect 10.10.10.1:636 >> cert_partner.pem

Output from openssl (but it will create a PEM file which will contain the certificate)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "
(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify error:num=19:self signed certificate in certificate chain
read:errno=10093

3) This certificated imported into KYR-file as Signer

--- We used ikeyman to put this into the KYR-file which is specified into server document, then server was restarted

4) Created a DA Document

--- All tests in DA documents works except the "Verify"-button next to "Which Search Filter To Use", here the error is "Unexpected error - 'java.lang.NullpointerException'. But I read the the wizard in DA is not the same as what domino actually will use, so ignoring this for now

5) This comes in the server console after reboot of server

set config debug_ssl_all=3

2015-05-20 20:47:30 Error attempting to access the Directory *[10.10.10.1]:636 (no available alternatives), error is LDAP Server is NOT available.

2015-05-20 20:47:30,29 [12C4:0004-15C4] SSLCheckCertChain> Invalid certificate chain received

Cert Chain Evaluation Status: err: 5950, Certificate is expired or not yet valid

2015-05-20 20:47:30,29 [12C4:0004-15C4] int_MapSSLError> Mapping SSL error 0 to 0

2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_Handshake> Enter

2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)

2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_Handshake> SSL Undetermined attempt

2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Write> Enter len = 45

2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_Xmt> 00000000: 80 2B 01 03 00 00 12 00 00 00 10 00 00 04 00 00 '.+..............'

2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_Xmt> 00000010: 05 00 00 2F 00 00 35 00 00 0A 01 00 80 9F B9 65 '.../..5.......9e'

2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_Xmt> 00000020: F8 54 01 02 4D FB CE 34 10 DC B2 AE C3 'xT..M{N4.\2.C'

2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Write> Switching Endpoint to sync

2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Write> Posting a nti_snd for 45 bytes

2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_EncryptData> SSL not init exit

2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Write> Switching Endpoint to async

2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_EncryptDataCleanup> SSL not init exit

2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Write> nti_done return 45 bytes rc = 0

2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Write> Exit, wrote 45 bytes

2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Read> Enter len = 1

2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Read> Switching Endpoint to sync

2015-05-20 20:47:30,29 [12C4:0004-15C4] S_Read> Posting a nti_rcv for 1 bytes

2015-05-20 20:47:30,29 [12C4:0004-15C4] SSL_RcvSetup> SSL not init exit

2015-05-20 20:47:30,31 [12C4:0004-15C4] S_Read> Switching Endpoint to async

2015-05-20 20:47:30,31 [12C4:0004-15C4] S_Read> nti_done return 0 bytes rc = 9

2015-05-20 20:47:30,31 [12C4:0004-15C4] S_Read> nti_done return 0 bytes rc = 9 Event = 0x100

2015-05-20 20:47:30,31 [12C4:0004-15C4] SSL_Handshake> After handshake state= 2 Status= -6989

2015-05-20 20:47:30,31 [12C4:0004-15C4] SSL_Handshake> Exit Status = -6989

2015-05-20 20:47:30,31 [12C4:0004-15C4] int_MapSSLError> Mapping SSL error -6989 to 4165

Checking keyfile certificates:

2015-05-20 20:47:30,35 [12C4:0004-15C4] SSLCheckCertChain> Invalid certificate chain received

Cert Chain Evaluation Status: err: 5950, Certificate is expired or not yet valid

2015-05-20 20:47:30,35 [12C4:0004-15C4] int_MapSSLError> Mapping SSL error 0 to 0

2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_Handshake> Enter

2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)

2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_Handshake> SSL Undetermined attempt

2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Write> Enter len = 45

2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_Xmt> 00000000: 80 2B 01 03 00 00 12 00 00 00 10 00 00 04 00 00 '.+..............'

2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_Xmt> 00000010: 05 00 00 2F 00 00 35 00 00 0A 01 00 80 98 CD D9 '.../..5.......MY'

2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_Xmt> 00000020: 4D BE 68 BE EA 38 CD 71 C0 7A 5A 7C 8B 'M>h>j8Mq@zZ|.'

2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Write> Switching Endpoint to sync

2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Write> Posting a nti_snd for 45 bytes

2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_EncryptData> SSL not init exit

2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Write> Switching Endpoint to async

2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_EncryptDataCleanup> SSL not init exit

2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Write> nti_done return 45 bytes rc = 0

2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Write> Exit, wrote 45 bytes

2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Read> Enter len = 1

2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Read> Switching Endpoint to sync

2015-05-20 20:47:30,35 [12C4:0004-15C4] S_Read> Posting a nti_rcv for 1 bytes

2015-05-20 20:47:30,35 [12C4:0004-15C4] SSL_RcvSetup> SSL not init exit

2015-05-20 20:47:30,37 [12C4:0004-15C4] S_Read> Switching Endpoint to async

2015-05-20 20:47:30,37 [12C4:0004-15C4] S_Read> nti_done return 0 bytes rc = 9

2015-05-20 20:47:30,37 [12C4:0004-15C4] S_Read> nti_done return 0 bytes rc = 9 Event = 0x100

2015-05-20 20:47:30,37 [12C4:0004-15C4] SSL_Handshake> After handshake state= 2 Status= -6989

2015-05-20 20:47:30,37 [12C4:0004-15C4] SSL_Handshake> Exit Status = -6989

2015-05-20 20:47:30,37 [12C4:0004-15C4] int_MapSSLError> Mapping SSL error -6989 to 4165

Checking keyfile certificates:

2015-05-20 20:47:30,42 [12C4:0004-15C4] SSLCheckCertChain> Invalid certificate chain received

Cert Chain Evaluation Status: err: 5950, Certificate is expired or not yet valid

2015-05-20 20:47:30,42 [12C4:0004-15C4] int_MapSSLError> Mapping SSL error 0 to 0

2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_Handshake> Enter

2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_Handshake> Current Cipher 0x0000 (Unknown Cipher)

2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_Handshake> SSL Undetermined attempt

2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Write> Enter len = 45

2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_Xmt> 00000000: 80 2B 01 03 00 00 12 00 00 00 10 00 00 04 00 00 '.+..............'

2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_Xmt> 00000010: 05 00 00 2F 00 00 35 00 00 0A 01 00 80 C9 7C 3C '.../..5......I|<'

2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_Xmt> 00000020: FC 00 E2 73 ED 09 B7 C0 BA 41 F3 0A 27 '|.bsm.7@:As.''

2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Write> Switching Endpoint to sync

2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Write> Posting a nti_snd for 45 bytes

2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_EncryptData> SSL not init exit

2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Write> Switching Endpoint to async

2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_EncryptDataCleanup> SSL not init exit

2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Write> nti_done return 45 bytes rc = 0

2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Write> Exit, wrote 45 bytes

2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Read> Enter len = 1

2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Read> Switching Endpoint to sync

2015-05-20 20:47:30,42 [12C4:0004-15C4] S_Read> Posting a nti_rcv for 1 bytes

2015-05-20 20:47:30,42 [12C4:0004-15C4] SSL_RcvSetup> SSL not init exit

2015-05-20 20:47:30,43 [12C4:0004-15C4] S_Read> Switching Endpoint to async

2015-05-20 20:47:30,43 [12C4:0004-15C4] S_Read> nti_done return 0 bytes rc = 9

2015-05-20 20:47:30,43 [12C4:0004-15C4] S_Read> nti_done return 0 bytes rc = 9 Event = 0x100

2015-05-20 20:47:30,43 [12C4:0004-15C4] SSL_Handshake> After handshake state= 2 Status= -6989

2015-05-20 20:47:30,43 [12C4:0004-15C4] SSL_Handshake> Exit Status = -6989

2015-05-20 20:47:30,43 [12C4:0004-15C4] int_MapSSLError> Mapping SSL error -6989 to 4165

2015-05-20 20:47:31 Error attempting to access the Directory *[10.10.10.1]:636 (no available alternatives), error is LDAP Server is NOT available.

Any ideas???

~Dexter Deswechekynds

May 20, 2015, 8:27 PM

191 Posts

Is that all of the output from openssl?

It looks like you hit an error (read:errno=10093), but it's not clear if you only pasted the first part of the output or if that's all there was. If it's the latter, then you didn't get the certificate. You should see BEGIN CERTIFICATE and END CERTIFICATE in the output, among many other things.

~Sven Quetvelupulakoi

May 21, 2015, 1:16 PM

24 Posts

kyrtool to import trusted root

The following contains steps to use the kyrtool.ext to import the trusted root certificate.

Installing and Running the Domino keyring tool
http://www-10.lotus.com/ldd/dominowiki.nsf/dx/kyrtool

'import roots' will import one or more certificates into the keyring file as trusted roots. The input file must contain one or more '-----BEGIN CERTIFICATE-----' PEM blobs.

~Tanita Desweverobu

May 21, 2015, 5:18 PM

94 Posts

SSLCheckCertChain> Invalid certificate chain received: Cert Chain Evaluation Status: err: ...

Is the LDAP server's certificate expired or not yet valid?

Is the Domino server's certificate expired or not yet valid?

~Manny Nontumilitader

May 23, 2015, 6:20 AM

34 Posts

Version

Hi,

which version of Domino is deployed on your server and on the ldap site?

Importing the root certifier of the target site is not necessary. When you want to trust a root certifier you have to import it to your domino directory or put it to cacerts within the domino java directory (depends on the service you need to connect).

Regards

Chris

~Tate Kikigengon

May 25, 2015, 7:00 AM

39 Posts

Certificate

Thanks all for the help, I will try them out, during this week.

* Domino (LDAP Client) is version 9.0.1 FP2 on Windows. The LDAP server I do not know which Domino version.

* I did import the ldap client root-cert into cacerts. But I have not put it into Domino Directory.

* Did did select "Accept expired certificates" in the DA config.

* The Domino (ldap client) server have an expired cert

* The LDAP server have a valid certificate

~Arnold Minrevitchoden

Sep 21, 2015, 4:10 PM

1 Posts

solved?

Hi,

Do you have by chance solved this issue?

~Tate Kikigengon

Mar 2, 2016, 11:43 AM

39 Posts

Update

Here is a late update. I have been dealing with this error on multiple sites.

In this particular case I think it was solved by a notes.ini setting, but I do not know which. Here is a list of settings I have been playing around with LDAP ssl:

Disable_SSLv3=1

SSL_ENABLE_INSECURE_SSLV2_HELLO=1

SSL_DISABLE_TLS_12=1

SSL_ENABLE_INSECURE_RENEGOTIATE=1

Share ▼
Subscribe ▼