000038728 - Active Directory AFX Connector Create Account capability fails when skip certificate validation in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Apr 14, 2020Last modified by RSA Customer Support Employee on Aug 25, 2020
Version 22Show Document
  • View in full screen mode

Article Content

Article Number000038728
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.1
 
IssueThe Active Directory AFX connector create account capability fails with the following error in the change request  under AFX Status (Requests > Requests > {Request name})
 
 AFX reports this item failed with code [-1] and message: 'org.mule.api.transformer.TransformerMessagingException: Failed to Create LDAP Context, Check the connection Parameters10.101.251.79:636 (java.lang.Exception). Message payload is of type: String'. If available, another handler will be used to fulfill this item 


The Active Directory connector is defined to skip certificate validation (AFX > Connectors > {name of connector} > Settings tab).
 
User-added image



The connector log file ($AFX_HOME/esb/logs/AFX-CONN-<name-of-connector>.log) has the following error:
 

2019-07-31 02:19:40.394 [INFO] org.mule.api.processor.LoggerMessageProcessor:193 -
Active_DirectoryConnector.EXCEPTION flow invoked...
2019-07-31 02:19:40.395 [INFO] org.mule.api.processor.LoggerMessageProcessor:193 - Not account created, no cleanup required!
2019-07-31 02:19:40.460 [INFO] org.mule.api.processor.LoggerMessageProcessor:193 - AFX_OUT redirect flow invoked...
2019-07-31 02:19:40.498 [INFO] org.mule.transport.service.DefaultTransportServiceDescriptor:193 -
Loading default outbound transformer: org.mule.transport.jms.transformers.ObjectToJMSMessage
2019-07-31 02:19:40.500 [INFO] org.mule.transport.service.DefaultTransportServiceDescriptor:193 -
Loading default response transformer: org.mule.transport.jms.transformers.ObjectToJMSMessage
2019-07-31 02:19:40.500 [WARN] com.mulesoft.mule.transport.jms.EeJmsMessageDispatcher:265 - Starting patched JmsMessageReceiver
2019-07-31 02:19:40.502 [INFO] org.mule.lifecycle.AbstractLifecycleManager:193 -
Initialising: 'jmsConnector.dispatcher.1650090192'. Object is: EeJmsMessageDispatcher
2019-07-31 02:19:40.502 [INFO] org.mule.lifecycle.AbstractLifecycleManager:193 -
Starting: 'jmsConnector.dispatcher.1650090192'. Object is: EeJmsMessageDispatcher
2019-07-31 02:21:19.016 [INFO] org.mule.api.processor.LoggerMessageProcessor:193 - Create Account is done
2019-07-31 02:21:19.078 [INFO] org.mule.api.processor.LoggerMessageProcessor:193 - Send ResetPassword command explicitly
2019-07-31 02:21:20.465 [ERROR] org.mule.transport.ldapx.transformers.MessageToModifyRequest:361 - Failed to create LDAPContext
javax.naming.CommunicationException: 10.101.251.79:636 [Root exception is javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: No subject alternative names matching IP address 10.101.251.79 found]

at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1609)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
at javax.naming.InitialContext.init(InitialContext.java:244)
...


 
CauseThe later versions of Java require more checks to skip certificate validation than previously required.

This is a known issue reported in engineering tickets ACM-104246 and ACM-99986.
 
ResolutionThis issue is resolved in the following RSA Identity Governance & Lifecycle versions and/or patch levels: 
  • RSA Identity Governance & Lifecycle 7.1.1 P08
  • RSA Identity Governance & Lifecycle 7.2.0.

 

Attachments

    Outcomes