000036712 - LDAP Collectors report "No subject alternative names matching IP address n.n.n.n found" in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Sep 12, 2018Last modified by RSA Customer Support Employee on Aug 5, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000036712
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.x, 7.1.x
 
IssueAfter upgrading to Oracle Java 7 Update 191 / 7u191 / 1.7.0_191 (or above) and Java 8 Update 181 / 8u181 / 1.8.0_181 (or above), RSA Identity Governance & Lifecycle Collectors of Data Source Type Ldap and Active Directory can report the following error in the aveksaServer.log:
 

08/13/2018 18:11:31.752 WARN (ApplyChangesRegularThread-1198) [com.aveksa.client.datacollector.collectors.utils.LdapQueryUtil]
com.aveksa.common.ConnectException: Invalid Certificate, it may be expired or not valid. Please enter valid PEM format certificate in Certificate field.
    at com.aveksa.client.datacollector.collectors.utils.LdapQueryUtil.connect(LdapQueryUtil.java:212)
    at com.aveksa.client.datacollector.collectors.utils.LdapQueryUtil.testConnection(LdapQueryUtil.java:368)
    at com.aveksa.client.datacollector.collectors.utils.LdapQueryUtil.performOperation(LdapQueryUtil.java:139)
    at com.aveksa.collector.accountdata.LdapAccountDataReader.performQuery(LdapAccountDataReader.java:263)
    at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.performQuery(AccountDataCollector.java:474)
...
Caused by: javax.naming.CommunicationException: n.n.n.n:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
    No subject alternative names matching IP address n.n.n.n found]
...
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
    No subject alternative names matching IP address n.n.n.n found
...
Caused by: java.security.cert.CertificateException:    
    No subject alternative names matching IP address n.n.n.n found
...



A test of the collector may return one of the following errors on the RSA Identity Governance & Lifecycle user interface screen:
 

com.aveksa.common.ConnectException: There is an error establishing a connection with the LDAP directory.
Please confirm the settings are correct.


or



Collector test failed:
com.aveksa.server.runtime.ServerException: Test request failed with response:
com.aveksa.server.runtime.ServerException: com.aveksa.common.ConnectException: Error in get connection to UserDirectory.
Caused by javax.naming.CommunicationException: 192.168.26.120:636
[Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
No subject alternative names matching IP address 192.168.26.120 found].



 
CauseFor Oracle Java 7 Update 191 / 7u191 / 1.7.0_191 (or above) and Java 8 Update 181 / 8u181 / 1.8.0_181 (or above), there is a security improvement for LDAP support, in that "Endpoint identification has been enabled on LDAPS connections." This error means that the certificate does not contain an IP value or LDAP server hostname/FQDN in the Subject Alternative Name (SAN).

For more information, please review the Oracle documentation.

NOTE: If you use a Remote Agent for collections, this security improvement may cause a separate problem with your collectors. Please see RSA Knowledge Base Article 000037409 - Remote collection agents fail with null pointer exception using latest JRE/JDK versions in RSA Identity Governance & Lifecycle for more information.

ResolutionRegenerate the certificate used by the LDAP server with the correct Subject Alternative Name value. Follow the LDAP documentation on how to regenerate the LDAP server certificate.

In some environments, the same error may occur even with the regeneration of a new LDAP certificate with the correct SAN. This issue has been reported in engineering ticket ACM-99537. Until there is a resolution, please use one of the workarounds documented in this article.
WorkaroundAs a workaround, the certificate check may be skipped or the  hostname validation may be disabled. These options make your deployment less secure and are not recommended except as a last resort.

Option 1: Skip certificate validation.



Certificate validation can be skipped by modifying the collector definition. In the RSA Identity Governance & Lifecycle user interface go to Collectors > {Type of Collector} > {Collector Name} > Edit > Next. Under Connection, check Skip Certificate Validation and Finish to save the changes.
 


User-added image




Option 2: Disable hostname validation.



Hostname validation is disabled by setting the Java Option -Dcom.sun.jndi.ldap.object.disableEndpointIdentification to true.


  1. Add the following option to the Java Options (Arguments) for the Application server.


-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true


  • For WildFly, as the root user, edit the /etc/init.d/aveksa_server file, and add the new option to JAVA_OPTS:

JAVA_OPTS="${JAVA_OPTS} -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"


  • For a WildFly cluster, as the root user, edit the /etc/init.d/aveksa_cluster file, and add the new option to JAVA_OPTS. Edit this file on every node in the cluster.
  • For WebSphere, login to the Admin Console and add the new option to the Generic JVM arguments.
  • For WebLogic, login to the Admin Console and in the Server Start tab, add the new option to the Arguments field. 

  1. Once the change had been made, restart RSA Identity Governance & Lifecycle.
NotesTo examine the server side certificate, use the following command:

openssl s_client -showcerts -connect n.n.n.n:636


where, 
n.n.n.n is the IP address of the server being reported in the error.



 

Attachments

    Outcomes