SSL certifacate request from DCO and upload

DCIM_Support · ‎2020-07-05

This question was originally posted on DCIM Support by Boris on 2019-06-04

Hello

In continue to my post regarding to connect from DCO to Active Directory via port 636 (https://community.ecostruxureit.com/questions/143756065/dco-connect-to-active-directory-via-ssl) the answer didn’t work to me .

I have old server (version 8.0.2) where that connection via port 636 to AD is working now .

After compare the configuration I have note that certificate of the DCO WEB in old server signed via CA of the origination .

Unfortunately I haven’t find exactly instruction into help tech info :

https://sxwhelpcenter.ecostruxureit.com/display/public/UADCO8x/Working+with+SSL+certificates

https://sxwhelpcenter.ecostruxureit.com/display/public/UADCO8x/Changing+SSL+certificate+on+the+serve...

How I can run certificate request and after it signed upload DCO ?

Is this process will be resolve the my problem ?

DCIM_Support · ‎2020-07-05

This answer was originally posted on DCIM Support by Boris on 2019-07-03

Hello

The problem has been solved .

Important point the filed of the host into configuration of the Authentication Server will be same (but exactly ) such like to certificate .

I suggest add this point to guide

See Answer In Context

DCIM_Support · ‎2020-07-05

This answer was originally posted on DCIM Support by Jef Faridi on 2019-06-04

Hi Boris,

If I understand correctly, you have a DCO 8.2.7 setup integrated with AD server (as authentication server). And the integration works fine using port 389, but if you change it to port 639, then you have issue, right?

If yes, then make sure that the AD server supports encrypted communications (using port 639).

You might also want to try in web-client, Setup (top right, wheel icon) > Certificates page, delete the certificates (including the possible expired ones) for that specific AD server in DCO, and then try to configure the integration to use port 636 and see if that helps.

By the way/just in case, if your user profile language (web-client, user profile (top right) > Language) is not English, change it to English and then retry the AD configuration editing/changes.

Additional test: if you remove the integrated AD server (from DCO), and then added, would that help?

Note: take a fresh backup before doing any major changes/tests.

PS: DCO is shipped with self-signed certificate, this page https://sxwhelpcenter.ecostruxureit.com/display/public/UADCO8x/Changing+SSL+certificate+on+the+serve... you are referring to, contains the instructions if you want to use your own certificates!

Kind regards

DCIM_Support · ‎2020-07-05

This comment was originally posted on DCIM Support by Boris on 2019-06-04

Hello Jef

The first of all you are right . In additional this a new server with version 8.2.7 and old server is working properly (8.0.2) with AD via port 636 .

I have run check with command

open-ssl s_client -connect ipADserver:636 -CApath /etc/ssl/certs

I see in old and new server all chunk CA , but in end I got the follow:

Verify return error code : 20(unable to get local issuer certificate) .

Although the error code old server is working.

I have remove all authentications server and created again only one , but receive the same result .

How I can to debug this issue ?

The customer is working in DCE via port 636 properly too .

DCIM_Support · ‎2020-07-05

This comment was originally posted on DCIM Support by Boris on 2019-06-04

I have compared openssl s_client command and it’s same .

Is there any configuration into DCO that will be set ?

DCIM_Support · ‎2020-07-05

This comment was originally posted on DCIM Support by Jef Faridi on 2019-06-06

Hi Boris,

I don't use the openssl test, so not sure what to expect from it. As you know already, the following instructions:

https://sxwhelpcenter.ecostruxureit.com/display/UADCO8x/Setup+an+AD+%28Active+Directory%29+Server

is the only way to configure the integration.

I don't think there are configurations that may need to be reset (in DCO). Without detail investigations it is hard to say what might be the issue with your setup. However, the product security have been improved in later versions (compared to previous releases). I would recommend testing this AD integration on the latest 8.3 release, if you/customer should experience the same issue, then it would be great if I could have the following data:

screen captures illustrating the authentication server settings/configurations in DCO

screen capture of the displayed errors

complete server logs

I will send you an invite to my =S= box shortly, so the data safely can be shared with me (when/if you would), thanks.

Kind regards

DCIM_Support · ‎2020-07-05

This comment was originally posted on DCIM Support by Boris on 2019-06-06

Many thanks Jef

in next week I attempt to send the relevant logs

DCIM_Support · ‎2020-07-05

This comment was originally posted on DCIM Support by Boris on 2019-06-13

Hello Jef

On Sunday I'll go to customer for this issue .

Can you provide to me what is log file I need to upload exactly ?

DCIM_Support · ‎2020-07-05

This comment was originally posted on DCIM Support by Jef Faridi on 2019-06-17

Hi Boris,

Log files (in DCO 8.2.7) can be collected from server webmin interface, StuxureWare DC Operation > Download Log Files > Download log files

please also include the time/date you've tried & seeing the issue (that helps us to search in the logs), thanks.

Kind regards

DCIM_Support · ‎2020-07-05

This answer was originally posted on DCIM Support by Boris on 2019-07-03

Hello

The problem has been solved .

Important point the filed of the host into configuration of the Authentication Server will be same (but exactly ) such like to certificate .

I suggest add this point to guide

DCIM_Support · ‎2020-07-05

This comment was originally posted on DCIM Support by Jef Faridi on 2019-07-03

Hi Boris,

Can you please clarify this, possibly add some screen captures, thanks.

Kind regards

DCIM_Support · ‎2020-07-05

This comment was originally posted on DCIM Support by Boris on 2019-07-03

DCIM_Support · ‎2020-07-05

This comment was originally posted on DCIM Support by Jef Faridi on 2019-07-03

Hi Boris,

Thanks. That's correct, Host filed should contain either the IP address or the qualified host name.

Kind regards

DCIM_Support · ‎2020-07-05

This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.