| Back | Main view
“No subject alternative names present” error occurs while using secure LDAP connection for user and group synchronization
| Product: | IMiS/ARChive |
| Release: | 9.9.x.x |
| Date: | 03/20/2019 |
Case:
“No subject alternative names present” error occurs while using secure LDAP connection (LDAPS) for user and group synchronization. Example of stack trace:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present]
com.imis.imisarc.server.aaa.impl.LdapDirectory.executeQuery(LdapDirectory.java:260)
com.imis.imisarc.server.aaa.impl.GenericAAAObject.query(GenericAAAObject.java:69)
com.imis.imisarc.server.aaa.impl.GenericLdapConnector.query(GenericLdapConnector.java:13)
Caused by: javax.naming.CommunicationException: simple bind failed: ldap.server.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present]
com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2791)
com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
javax.naming.InitialContext.init(InitialContext.java:244)
javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
com.imis.imisarc.server.aaa.impl.PagedInitialLdapContext.<init>(PagedInitialLdapContext.java:88)
com.imis.imisarc.server.aaa.impl.LdapDirectory.createLdapContext(LdapDirectory.java:582)
com.imis.imisarc.server.aaa.impl.LdapDirectory.createLdapContext(LdapDirectory.java:512)
com.imis.imisarc.server.aaa.impl.LdapDirectory.executeQuery(LdapDirectory.java:250)
com.imis.imisarc.server.aaa.impl.GenericAAAObject.query(GenericAAAObject.java:69)
com.imis.imisarc.server.aaa.impl.GenericLdapConnector.query(GenericLdapConnector.java:13)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:931)
sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
java.io.BufferedInputStream.fill(BufferedInputStream.java:246)
java.io.BufferedInputStream.read1(BufferedInputStream.java:286)
java.io.BufferedInputStream.read(BufferedInputStream.java:345)
com.sun.jndi.ldap.Connection.run(Connection.java:877)
java.lang.Thread.run(Thread.java:748)
Caused by: java.security.cert.CertificateException: No subject alternative names present
sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:145)
sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)
sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java
Description:
Java enabled endpoint identification on LDAPS connections by default to improve the robustness of LDAPS connections (https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html). Domain must match either certificate common name one of subject alternative names (https://en.wikipedia.org/wiki/Subject_Alternative_Name), to successfully establish a secured connection. To solve this problem you need to provide certificate with appropriate subject alternative name X.509 extension. Alternative is to disable endpoint identification checking by using Java system property “com.sun.jndi.ldap.object.disableEndpointIdentification” set to “true”. Follow next steps:
1. Shutdown the server.
2. Locate and open “iarc.conf” server configuration file for editing (possible locations: /etc/iarc.conf, /opt/IS/imisarc/iarc.conf …)
3. Under “[Server]” section locate (or create) option “JVMOptions” and append java option “-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true«.
In case of multiple java options, delimiter is “::”. Examples:
a. JVMOptions=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
b. JVMOptions=-Xmx512m::-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Related Documents:
| Back | Main view