cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1102
Views
5
Helpful
4
Replies

Prime Collaboration Provisioning 10.6 and openSSL

vhinckley
Level 1
Level 1

So, after a few years of having a 10.6 Provisioning server, I'm finally getting around to figuring out how it works. First thing I notice is that the connection to LDAP isn't working. Dig around logs, and find out the LDAP servers don't like the diffie-hellman (DH) handshake (this also explains why I can't use SSH to connect - my SSH client doesn't like the algorithm...). Last time Cisco provided an openSSL fix for 10.6 was in 2015. So, what I'm wondering is, how do I go about getting this fixed?

4 Replies 4

vhinckley
Level 1
Level 1

Here is the actual log entry:

 

Thu 30-Nov-2017 15:47:36 MST:HIG:e927-ajp-127.0.0.:AAAManager  :<<static>>                  
ERROR: Error while connecting to the LDAP server: ldap://:636 with user security principal: 
simple bind failed: :636
javax.naming.CommunicationException: simple bind failed: :636 [Root exception is javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair]
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:198)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2720)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:296)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
	at javax.naming.InitialContext.init(InitialContext.java:223)
	at javax.naming.InitialContext.<init>(InitialContext.java:197)
	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
	at com.cisco.cucms.cupm.device.ApplicationManager.ConnectionStatusForLDAP(ApplicationManager.java:4187)
	at com.cisco.cucms.cupm.device.ApplicationManager.getLDAPandACSConnectionStatus(ApplicationManager.java:3960)
	at com.cisco.cucms.cupm.device.ApplicationManager.getConnectionStatus(ApplicationManager.java:3695)
	at com.cisco.cucms.cupm.device.ApplicationManager.parseRequest(ApplicationManager.java:168)
	at org.apache.jsp.ipt.device.device_005fcrud_jsp._jspService(device_005fcrud_jsp.java:70)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:387)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.cisco.xmp.wap.dojo.servlet.filter.DojoIframeSendFilter.doFilter(DojoIframeSendFilter.java:56)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at dfc.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:105)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at dfc.filters.AjaxSessionFilter.doFilter(AjaxSessionFilter.java:81)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
	at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:393)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
	at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:437)
	at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:381)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
	at java.lang.Thread.run(Thread.java:682)
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1708)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1691)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1617)
	at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:105)
	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:416)
	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:389)
	at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:339)
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:193)
	... 51 more
Caused by: java.lang.RuntimeException: Could not generate DH keypair
	at com.sun.net.ssl.internal.ssl.DHCrypt.<init>(DHCrypt.java:114)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverKeyExchange(ClientHandshaker.java:559)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:186)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
	at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
	... 57 more
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)
	at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DashoA13*..)
	at java.security.KeyPairGenerator$Delegate.initialize(KeyPairGenerator.java:627)
	at com.sun.net.ssl.internal.ssl.DHCrypt.<init>(DHCrypt.java:107)
	... 65 more

 

Per this site: https://stackoverflow.com/questions/14253039/is-there-a-workaround-for-java-lang-runtimeexception-could-not-generate-dh-key/21617747, it looks like the issue is more along the lines of the LDAP server is responding with a larger key than what my Prime Provisioning server can handle.

 

Still stuck without any idea how to get around/fix this...

If you are just getting around to experimenting with PCP, I would start with a fresh install of PCP 12.3 or 12.4 (available first week of January 2018).  There has been a significant amount of changes and new features since 10.6 (nine revs ago).  The generic openSSL library has been replaced with the latest Cisco maintained CiscoSSL package and the OS has been completely replaced.

 

Regards

I was rather hoping to figure out if PCP would be useful in my environment before spending money on a new version - if Cisco didn't charge for "upgrade licenses", I wouldn't be messing around with my old one! :)

I understand the worry about buy before you try. I assume PCP does not have a service contract, right?

 

You could clone your 10.6 server and upgrade the clone all the way up to 12.3 and we can provide a 60 or 90 day eval license. This would allow you to kick the tires and see how useful the 12.x revs are in your environment without making an investment.  A second option is to install the free Standard version of 12.3 and do a small configuration, perhaps just one Domain, and see how it works in your environment.

 

Have you installed the PCP 10.6 openSSL upgrade. If not it is in the patches download area on CCO for PCP 10.6.  This might be helpful to allow you to do some testing though it is an older version of openSSL.  If you are a linux savy person, you could just download the latest openSSL 1.1.0g and update the current openSSL version (backup or make a clone of the server first).

 

These might be some options to try.

 

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: