000036712 - LDAP Collector reports "No subject alternative names matching IP address n.n.n.n found" in RSA Identity Governance &Lifecycle

Document created by RSA Customer Support Employee on Sep 12, 2018Last modified by RSA Customer Support Employee on Sep 12, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036712
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 7.0.2
 
IssueAfter upgrading to Oracle Java 1.7.0_191 or above, LDAP Collectors in the RSA Identity Governance & Lifecycle application can report the following error.

08/13/2018 18:11:31.752 WARN (ApplyChangesRegularThread-1198) [com.aveksa.client.datacollector.collectors.utils.LdapQueryUtil]
com.aveksa.common.ConnectException: Invalid Certificate, it may be expired or not valid. Please enter valid PEM format certificate in Certificate field.
    at com.aveksa.client.datacollector.collectors.utils.LdapQueryUtil.connect(LdapQueryUtil.java:212)
    at com.aveksa.client.datacollector.collectors.utils.LdapQueryUtil.testConnection(LdapQueryUtil.java:368)
    at com.aveksa.client.datacollector.collectors.utils.LdapQueryUtil.performOperation(LdapQueryUtil.java:139)
    at com.aveksa.collector.accountdata.LdapAccountDataReader.performQuery(LdapAccountDataReader.java:263)
    at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.performQuery(AccountDataCollector.java:474)
...
Caused by: javax.naming.CommunicationException: n.n.n.n:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
    No subject alternative names matching IP address n.n.n.n found]
...
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
    No subject alternative names matching IP address n.n.n.n found
...
Caused by: java.security.cert.CertificateException:    
    No subject alternative names matching IP address n.n.n.n found
...
CauseFor Oracle Java .7.0_191 and above, there is an improvement for LDAP support, in that "Endpoint identification has been enabled on LDAPS connections."

For more information, please review the Oracle documentation Java SE 7 Advanced and Java SE 7 Support (formerly known as Java for Business 7) Release Notes, where under Changes, it states the following.

Changes


core-libs/javax.naming
 Improve LDAP support

Endpoint identification has been enabled on LDAPS connections.



To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default.



Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property:com.sun.jndi.ldap.object.disableEndpointIdentification.



Define this system property (or set it to true) to disable endpoint identification algorithms.




However, please note that what this also means is that the certificate does not contain an IP value or LDAP server hostname/FQDN in the Subject Alternative Name (SAN).
ResolutionRegenerate the certificate, used by LDAP server, with the correct Subject Alternative Name value.  Follow the LDAP documentation on how to regenerate the LDAP server certificate.
WorkaroundAs per the Oracle Java Release notes:

...
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property:com.sun.jndi.ldap.object.disableEndpointIdentification.



Define this system property (or set it to true) to disable endpoint identification algorithms.



To accomplish this in RSA Identity Governance & Lifecycle,

  1. Add the following option to the Java Options (Arguments) for the Application server.


-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true


Note:


  • For WildFly/JBoss, edit the /etc/init.d/aveksa_server file, add the new option to the line JAVA_OPTS line.
  • For WebSphere, login to the Admin Console and add the new option to the Generic JVM arguments.
  • For WebLogic, login to the Admin Console and in the Server Start tab, add the new option to the Arguments field. 

  1. Once the change had been made, restart the Application Server.
Notes
  1. To examine the server side certificate, use the following command:


openssl s_client -showcerts -connect n.n.n.n:636


where, 
n.n.n.n is the IP address of the server being reported in the error.


  1. A similar issue and a procedure to update RSA Identity Governance & Lifecycle's server certificate is documented in article 000030130 - How to replace the server certificate used for the RSA Identity Governance & Lifecycle appliance web administration interface, that uses the keytool -ext option to add the correct Subject Alternative Name value.  For updating the LDAP server certificate, follow the respective LDAP server documentation.

Attachments

    Outcomes