Error while connecting External DS to IDM with ssl : Unrecognized SSL message, plaintext connection?

sidghosalkar · October 31, 2023, 8:58am

Hello,

I am configuring IDM with External DS through SSL connection, but after starting the IDM it is showing me the below error:

Also, I have verified the DS logs and I found this error:

{“eventName”:“DJ-LDAP”,“client”:{“ip”:“172.16.10.85”,“port”:35028},“server”:{“ip”:“172.16.10.87”,“port”:636},“request”:{“protocol”:“LDAPS”,“operation”:“DISCONNECT”,“connId”:12,“message”:“SSLException: Unrecognized SSL message, plaintext connection?”},“transactionId”:“0”,“response”:{“status”:“SUCCESSFUL”,“statusCode”:“0”,“elapsedTime”:0,“elapsedTimeUnits”:“MILLISECONDS”,“reason”:“Protocol Error”},“timestamp”:“2023-10-31T12:23:20.982Z”,“_id”:“e0896af4-25e9-4e64-87ce-36d9446458d2-47”}

I have also uploaded the CA certificate of DS which was generated while installing the DS in IDM truststore, but still the issue is same.

Below mentioned is the repo.ds.json file content that I have changed to integrate external DS for your reference:
{
“embedded” : false,
“maxConnectionAttempts” : 5,
“security” : {
“trustManager” : “file”,
“fileBasedTrustManagerType” : “JKS”,
“fileBasedTrustManagerFile” : “&{idm.install.dir}/security/truststore”,
“fileBasedTrustManagerPasswordFile” : “&{idm.install.dir}/security/storepass”
},
“ldapConnectionFactories” : {
“bind” : {
“connectionSecurity” : “startTLS”,
“heartBeatIntervalSeconds” : 60,
“heartBeatTimeoutMilliSeconds” : 10000,
“connectionPoolSize” : 50,
“primaryLdapServers” : [
{
“hostname” : “opendj.inspira.com”,
“port” : 636
}
],
“secondaryLdapServers” : [ ]
},
“root” : {
“inheritFrom” : “bind”,
“authentication” : {
“simple” : {
“bindDn” : “cn=admin”,
“bindPassword” : {
“$crypto” : {
“type” : “x-simple-encryption”,
“value” : {
“cipher” : “AES/CBC/PKCS5Padding”,
“stableId” : “openidm-sym-default”,
“salt” : “BBMH8UvYOFhSve/Kj3V/ow==”,
“data” : “nQ+TQtoOktMWXvY6aAa67g==”,
“keySize” : 16,
“purpose” : “idm.config.encryption”,
“iv” : “qZowW9dxAdHge3cNf0RadA==”,
“mac” : “giaVKiOGqczlYNwHT4XI7Q==”
}
}
}
}
}
}
}

Can you please assist me to resolve this?

mwtech · November 1, 2023, 8:50pm

Hi @sidghosalkar

This message ("SSLException: Unrecognized SSL message, plaintext connection?”) typically means that you are attempting to communicate using TLS on a connection handler that isn’t expecting TLS. Are you sure that your DS connection handler is configured correctly?

sidghosalkar · November 3, 2023, 7:27am

Hi @mwtech ,

Below are the details of my DS connection handlers:

dn: cn=LDAP,cn=connection handlers,cn=config
objectClass: top
objectClass: ds-cfg-connection-handler
objectClass: ds-cfg-ldap-connection-handler
cn: LDAP
ds-cfg-java-class: org.opends.server.protocols.ldap.LDAPConnectionHandler
ds-cfg-ssl-cipher-suite: TLS_AES_128_GCM_SHA256
ds-cfg-ssl-cipher-suite: TLS_AES_256_GCM_SHA384
ds-cfg-ssl-cipher-suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
ds-cfg-ssl-cipher-suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
ds-cfg-ssl-cipher-suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ds-cfg-ssl-cipher-suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ds-cfg-ssl-cipher-suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ds-cfg-ssl-cipher-suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ds-cfg-ssl-cipher-suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
ds-cfg-enabled: true
ds-cfg-key-manager-provider: cn=PKCS12,cn=Key Manager Providers,cn=config
ds-cfg-listen-port: 389
ds-cfg-use-ssl: false
ds-cfg-ssl-protocol: TLSv1.2
ds-cfg-ssl-protocol: TLSv1.3
ds-cfg-ssl-cert-nickname: ssl-key-pair
ds-cfg-trust-manager-provider: cn=JVM Trust Manager,cn=Trust Manager Providers,cn=config
modifiersName: cn=admin
ds-cfg-allow-start-tls: true
etag: 7d7ead29-4bbf-41e1-968b-23a69092709f-2
modifyTimestamp: 20231019145605Z

dn: cn=LDAPS,cn=connection handlers,cn=config
objectClass: top
objectClass: ds-cfg-connection-handler
objectClass: ds-cfg-ldap-connection-handler
cn: LDAPS
ds-cfg-java-class: org.opends.server.protocols.ldap.LDAPConnectionHandler
ds-cfg-ssl-cipher-suite: TLS_AES_128_GCM_SHA256
ds-cfg-ssl-cipher-suite: TLS_AES_256_GCM_SHA384
ds-cfg-ssl-cipher-suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
ds-cfg-ssl-cipher-suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
ds-cfg-ssl-cipher-suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ds-cfg-ssl-cipher-suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ds-cfg-ssl-cipher-suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
ds-cfg-ssl-cipher-suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
ds-cfg-ssl-cipher-suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
ds-cfg-enabled: true
ds-cfg-keystore-file: /opt/opendj/config/keystore
ds-cfg-keystore-pin: 7yN+kL5ZrD+doaUivIMKmhvj3F9VDTwCtKziv/mlr9GcuF9jPaIXSMj3+gjZgc3JtG4=
ds-cfg-listen-port: 636
ds-cfg-use-ssl: true
ds-cfg-ssl-protocol: TLSv1.2
ds-cfg-ssl-protocol: TLSv1.3
ds-cfg-allow-start-tls: false
ds-cfg-ssl-cert-nickname: ssl-key-pair
ds-cfg-key-manager-provider: cn=PKCS12,cn=Key Manager Providers,cn=config
ds-cfg-trust-manager-provider: cn=PKCS12,cn=Trust Manager Providers,cn=config

I think you are talking about the “ds-cfg-allow-start-tls: false” value under LDAPS connection handler, must be true according to the repo.ds.json file.

Can you please verify and confirm the changes should be made to these connection handlers?

jsingh · November 3, 2023, 2:32pm

In your repo.ds.json try setting the connectionSecurity settings to use ssl and try again.

{
          "connectionSecurity" : "ssl",
          "heartBeatIntervalSeconds" : 60,
          "heartBeatTimeoutMilliSeconds" : 10000,
          "connectionPoolSize" : 50,
          "primaryLdapServers" : [
              {
                  "hostname" : "platformds1.sqoopdata.local",
                  "port" : 25136
              }
          ],
          "secondaryLdapServers" : [ ]
      },
}

mwtech · November 3, 2023, 6:54pm

I’d go with the approach suggested by @jsingh. Your connection handlers look fine, but the LDAPS handler is not configured to support startTLS. Whether or not to allow startTLS is a different discussion altogether, but with your current configuration I’d just use "connectionSecurity" : "ssl"