000036459 - The RSA Identity Governance & Lifecycle AD Collector and AD ADC authentication source fail to establish a TLS 1.2 SSL connection with the AD LDAP server

Document created by RSA Customer Support Employee on Jun 26, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036459
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.0, 7.0.1, 7.0.2
 
IssueThe RSA Identity Governance & Lifecycle AD Collector and AD ADC authentication source fail with the following error in the aveksaServer.log file (/home/oracle/wildfly-8.2.0.Final/standalone/log/aveksaServer.log):
 

06/18/2018 00:15:00.416 ERROR (ApplyChangesRegularThread-103) [com.aveksa.collector.accountdata.LdapAccountDataReaderConfig] Error in getting connection to UserDirectory , Root Cause :
javax.naming.NamingException: JBAS011843: Failed instantiate InitialContextFactory com.sun.jndi.ldap.LdapCtxFactory from classloader com.aveksa.client.datacollector.framework.CollectorClassLoader@1395c8ec [Root exception is javax.naming.CommunicationException: simple bind failed: 192.168.1.1:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]
...
Caused by: javax.naming.CommunicationException: simple bind failed: 192.168.1.1:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: .
...
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
..
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target


A tcpdump packet trace of the SSL negotiation shows the SSL failure as Internal Error (80):
 

Secure Sockets Layer
    TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Internal Error)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Internal Error (80)
CauseThis issue may occur if the TLS 1.2 SSL handshake is unable to complete the negotiation of an acceptable cipher during the SSL handshake.   Specifically, the Internal Error (80) relates to a failure of the JDK shared libraries to support TLS 1.2 negotiation.  All current patches of RSA Identity Governance & Lifecycle have the ability to support TLS 1.2 SSL, but there are dependencies on the JDK version that is installed.  Without the appropriate JDK installed, the TLS 1.2 SSL negotiation may fail. 
ResolutionEnsure that you have applied the latest RSA Identity Governance & Lifecycle Java JDK upgrade that is included with the RSA Identity Governance & Lifecycle patch for your version.  Refer to the release notes for the patch for information on how to download and install the JDK upgrade. 

Attachments

    Outcomes