Unable to verify SSL cert using ldaps

General discussion on Zend Server for IBM System i
Post Reply
rodn8274
Posts: 12
Joined: Mon Dec 29, 2014 5:22 pm

Unable to verify SSL cert using ldaps

Post by rodn8274 » Wed Oct 21, 2015 1:17 am

I have a ZF2 web app running in ZendServer 6 on the iSeries that uses the ZendAuthorization to connect to our Active Directory server over SSL (ldaps:// port 636) to control access to the app. I'm getting the following error whenever we attempt to connect.
authentication failed: 0x51 (Can't contact LDAP server; error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate))
A little research yields that this is due to the client not being able to validate the SSL cert and to get around this problem you have to set the following in the ldap.conf file
TLS_REQCERT never
and restart the zend server. Problem is that I can't locate the ldap.conf file on the iSeries. Also I found this note on the ZF2 reference guide:
If you enable useStartTls = TRUE or useSsl = TRUE you may find that the LDAP client generates an error claiming that it cannot validate the server’s certificate. Assuming the PHP LDAP extension is ultimately linked to the OpenLDAP client libraries, to resolve this issue you can set “TLS_REQCERT never” in the OpenLDAP client ldap.conf (and restart the web server) to indicate to the OpenLDAP client library that you trust the server. Alternatively, if you are concerned that the server could be spoofed, you can export the LDAP server’s root certificate and put it on the web server so that the OpenLDAP client can validate the server’s identity.
That pretty much states how to fix the issue. Assuming zend server php5 is linked to ldap on the iSeries some how. Can this be configured in Zend Server? If so where?

If there are any iSeries pros here that could point me in the right direction I would be greatly in your debt.

BTW, connecting over a non-SSL/TLS works fine. We do have valid certs installed on our iSeries just not a proper CA root cert

scottgcampbell
Posts: 187
Joined: Wed Apr 22, 2009 2:29 pm
Location: Edmonton, AB, Canada

Re: Unable to verify SSL cert using ldaps

Post by scottgcampbell » Wed Oct 21, 2015 2:18 pm

Take a look at this article about adding a certificate authority, not sure it is the issue but one thing to check:

https://support.zend.com/hc/en-us/artic ... or-PHP-5-6

Scott

rodn8274
Posts: 12
Joined: Mon Dec 29, 2014 5:22 pm

Re: Unable to verify SSL cert using ldaps

Post by rodn8274 » Wed Oct 21, 2015 5:05 pm

Scott,

Thanks for this article! I ran the commands as stated in the article and TLS cert verification seems to be working now.

Again thanks for you help

Post Reply