Problem:
Authentication error when logging into the Stratusphere web UI with an Active Directory imported user account. Local Directory accounts such as ssadmin are able to login.
Possible resolution:
Putty or console into the hub as friend/ec2-user/azureuser and run the following commands to check the log for an LDAP error after a failed login attempt with the AD user. Al
sudo bash
egrep 'LDAP error|SHA1withRSA' /opt/lwl/servicemix/data/log/servicemix*
If you see an error like this, the AD certificate may be using deprecated SHA-1 encryption. The directory in question should be listed, lwlqa.int is the example here:
2024-04-12 17:56:05,080 | ERROR | nats:3 | DefaultAuthApiServiceImpl | 272 - lwl-objectbase - 0.39.0 | Unexpected LDAP error, not allow authentication
org.springframework.dao.DataAccessResourceFailureException: Unknown LDAP error; nested exception is org.springframework.ldap.CommunicationException: lwlqa.int:636; nested exception is javax.naming.CommunicationException: lwlqa.int:636 [Root exception is javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints]
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA
You can further verify the encryption algorithm with if the following openssh command outputs sha1WithRSAEncryption. Edit lwlqa.int:636 in the command to match your directory hostname/IP and port.:
openssl s_client -connect lwlqa.int:636 </dev/null 2>/dev/null | openssl x509 -inform pem -text|grep -i algorithm
The best solution is to replace the Active Directory certificate with one with SHA-2 encryption. If you're unable to replace the the certificate, you may work around it by allowing SHA-1 in the java.security configuration. Run the following commands on the hub:
cd /usr/lib/jvm/java-1.8.0-openjdk/jre/lib/security/
cp java.security java.security.bak
sed -i '/^[[:blank:]]*SHA1 usage SignedJAR & denyAfter 2019-01-01,/s/^/#/' java.security
Verify that the SHA1 disabled algorithms line is commented:
grep -A3 '^jdk.certpath.disabledAlgorithms=' java.security
Output should look like this:
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
# SHA1 usage SignedJAR & denyAfter 2019-01-01, \
include jdk.disabled.namedCurves
Restart the lwl-smx service and verify it is running:
systemctl restart lwl-smx
systemctl status lwl-smx
The AD user should now be able to log in with SHA-1 encryption.
Product: Stratusphere FIT/UX
Product Version: All
Expires on: 365 days from publish date
Updated: April 12, 2024