Overview#

Issues With Remote Loader is about AD Remote Loaders & the engine on DirXML 4.0.2.6 We were upgrading from DirXML 4.0.2.6 and DirXML 4.0.2.0 to DirXML 4.0.2.7.

This maybe helpful for others when Troubleshooting DirXML.

We had some issues in PILOT, where the Edir-To-Edir drivers would not work if only one side was upgraded. Not confident of the exact issue and Support was not very helpful, stating only:

"I'm sure there is no issue when you stay within a major version number like 4.0.2."

"I'm going to add a caveat though, with all the openssl, poodle security fixes; I've seen things that used to communicate over SSL fail when one side was updated and not the other. That would be my only concern. If you use SSL between the 2 then you would need to confirm you could still connect. If you can then you are fine."

When we pefromed the upgrade from DirXML 4.0.2.6 and DirXML 4.0.2.0 to DirXML 4.0.2.7, none of the three AD drivers would start showing this error: During an upgrade of an IDV to DirXML 4.0.2.7 SE where the remote loader was NOT upgraded, we see this message in the DirXML Engine Trace file:

[03/25/15 22:41:16.693]:idv-ad ST:
<nds dtdversion="4.0" ndsversion="8.x">
  <source>
    <product edition="Standard" version="4.0.2.7">DirXML</product>
    <contact>Novell, Inc.</contact>
  </source>
  <input>
    <init-params src-dn="\WILELKE\net\willekedir\esc\DirXML\NW Driver Set\IDV to SIC AD">
      <authentication-info>
        <server>REMOTE(hostname=10.92.1.178 port=8090 kmo=NDS2NDS)DCP0705.willeke.net</server>
        <user>DirXML</user>
        <password><!-- content suppressed --></password>
      </authentication-info>
      <driver-options>
...
[03/25/15 22:54:43.249]:sic-ad PT:
<nds dtdversion="4.0" ndsversion="8.x">
  <input>
    <status level="error" type="remoteloader">java.io.IOException: SSL handshake failed, SSL_ERROR_SYSCALL, error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number</status>
  </input>
</nds>

Cause#

Identity Manager DirXML 4.0.2.7 contains a fix for CVE-2014-3566 (POODLE) which will disable the use of SSLv3 on the wire. As the remote loader code was not updated it would still try to do SSLv2 (sic should say SSLv3) which the Engine cannot longer do, there for the connection was not established.

Docs:

We also heard from Support:

I was rereading the TID and saw that I made a "small" mistake, which I then corrected.

TID7003488 - "Is IDM Remote Loader from one version supported with a different IDM engine version?", provides some information, but the TLSv1.x thing with 4.0.2  

Patch 7 means that Patch 7 only talks to Patch 7 when you have encrypted communication, and also IDM 4.5 Engine / Remote Loader Patch 2 should be able to talk to Patch 7. But we do not really support IDM 4.0.2 <-> IDM 4.5 communication (Engine and Remote Loader) ... except for the Office 365 driver.

If you stay on Patch 5 or 6 your will have more option on what will work but you will have the the OpenSSL security issues.

What to Look for#

After upgrading to DirXML 4.0.2.7 SE on the DirXML Remote Loader trace file you want to see:
DirXML: [02/03/15 18:27:14.34]: Loader: Waiting for DirXML to connect on 'TCP server socket, port 8090, address localhost, using TLSv1'…
This will indicate that it will do TLSv1 and not SSLv3.

If you see:

<nds dtdversion="4.0" ndsversion="8.x">
  <input>
    <status level="error" type="remoteloader">java.io.IOException: SSL handshake failed, SSL_ERROR_SYSCALL, error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number</status>
  </input>
</nds>
This implies that these the DirXML Remote Loader is using SSLv3 and will NOT communicate to TLS 1.0.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-12) was last changed on 01-Apr-2015 10:09 by jim