Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1326
Views
5
Helpful
4
Replies

Prime Collaboration Provisioning 10.6 and openSSL

vhinckley
Level 1
Level 1

‎11-29-2017 03:29 PM - edited ‎03-19-2019 12:58 PM

So, after a few years of having a 10.6 Provisioning server, I'm finally getting around to figuring out how it works. First thing I notice is that the connection to LDAP isn't working. Dig around logs, and find out the LDAP servers don't like the diffie-hellman (DH) handshake (this also explains why I can't use SSH to connect - my SSH client doesn't like the algorithm...). Last time Cisco provided an openSSL fix for 10.6 was in 2015. So, what I'm wondering is, how do I go about getting this fixed?

0 Helpful
4 Replies 4

vhinckley
Level 1
Level 1

‎11-30-2017 03:03 PM - edited ‎11-30-2017 03:04 PM

Here is the actual log entry:

 

Thu 30-Nov-2017 15:47:36 MST:HIG:e927-ajp-127.0.0.:AAAManager  :<<static>>                  
ERROR: Error while connecting to the LDAP server: ldap://:636 with user security principal: 
simple bind failed: :636
javax.naming.CommunicationException: simple bind failed: :636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair]
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:198)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2720)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
	at javax.naming.InitialContext.init(InitialContext.java:223)
	at javax.naming.InitialContext.<init>(InitialContext.java:197)
	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
	at com.cisco.cucms.cupm.device.ApplicationManager.ConnectionStatusForLDAP(ApplicationManager.java:4187)
	at com.cisco.cucms.cupm.device.ApplicationManager.getLDAPandACSConnectionStatus(ApplicationManager.java:3960)
	at com.cisco.cucms.cupm.device.ApplicationManager.getConnectionStatus(ApplicationManager.java:3695)
	at com.cisco.cucms.cupm.device.ApplicationManager.parseRequest(ApplicationManager.java:168)
	at org.apache.jsp.ipt.device.device_005fcrud_jsp._jspService(device_005fcrud_jsp.java:70)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:387)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.cisco.xmp.wap.dojo.servlet.filter.DojoIframeSendFilter.doFilter(DojoIframeSendFilter.java:56)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at dfc.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:105)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at dfc.filters.AjaxSessionFilter.doFilter(AjaxSessionFilter.java:81)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
	at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:393)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
	at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:437)
	at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:381)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
	at java.lang.Thread.run(Thread.java:682)
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1708)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1691)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1617)
	at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:105)
	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:416)
	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:389)
	at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:339)
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:193)
	... 51 more
Caused by: java.lang.RuntimeException: Could not generate DH keypair
	at com.sun.net.ssl.internal.ssl.DHCrypt.<init>(DHCrypt.java:114)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:559)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:186)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
	at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
	... 57 more
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)
	at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DashoA13*..)
	at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:627)
	at com.sun.net.ssl.internal.ssl.DHCrypt.<init>(DHCrypt.java:107)
	... 65 more

 

Per this site: https://stackoverflow.com/questions/14253039/is-there-a-workaround-for-java-lang-runtimeexception-could-not-generate-dh-key/21617747, it looks like the issue is more along the lines of the LDAP server is responding with a larger key than what my Prime Provisioning server can handle.

 

Still stuck without any idea how to get around/fix this...

0 Helpful

Anthony Gerbic
Cisco Employee
Cisco Employee
In response to vhinckley

‎12-19-2017 03:42 PM

If you are just getting around to experimenting with PCP, I would start with a fresh install of PCP 12.3 or 12.4 (available first week of January 2018).  There has been a significant amount of changes and new features since 10.6 (nine revs ago).  The generic openSSL library has been replaced with the latest Cisco maintained CiscoSSL package and the OS has been completely replaced.

 

Regards

vhinckley
Level 1
Level 1
In response to Anthony Gerbic

‎12-19-2017 03:46 PM

I was rather hoping to figure out if PCP would be useful in my environment before spending money on a new version - if Cisco didn't charge for "upgrade licenses", I wouldn't be messing around with my old one! :)

0 Helpful

Anthony Gerbic
Cisco Employee
Cisco Employee
In response to vhinckley

‎12-20-2017 02:53 PM

I understand the worry about buy before you try. I assume PCP does not have a service contract, right?

 

You could clone your 10.6 server and upgrade the clone all the way up to 12.3 and we can provide a 60 or 90 day eval license. This would allow you to kick the tires and see how useful the 12.x revs are in your environment without making an investment.  A second option is to install the free Standard version of 12.3 and do a small configuration, perhaps just one Domain, and see how it works in your environment.

 

Have you installed the PCP 10.6 openSSL upgrade. If not it is in the patches download area on CCO for PCP 10.6.  This might be helpful to allow you to do some testing though it is an older version of openSSL.  If you are a linux savy person, you could just download the latest openSSL 1.1.0g and update the current openSSL version (backup or make a clone of the server first).

 

These might be some options to try.

 

Regards

0 Helpful
Customers Also Viewed These Support Documents