This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

The RSA Identity Governance & Lifecycle AD Collector and AD ADC authentication source fail to establish a TLS 1.2 SSL connection with the AD LDAP server

Article Number

000036459

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.0, 7.0.1, 7.0.2
 

Issue

The RSA Identity Governance & Lifecycle AD Collector and AD ADC authentication source fail with the following error in the aveksaServer.log file (/home/oracle/wildfly-8.2.0.Final/standalone/log/aveksaServer.log):
  
06/18/2018 00:15:00.416 ERROR (ApplyChangesRegularThread-103) [com.aveksa.collector.accountdata.LdapAccountDataReaderConfig] Error in getting connection to UserDirectory , Root Cause : 
javax.naming.NamingException: JBAS011843: Failed instantiate InitialContextFactory com.sun.jndi.ldap.LdapCtxFactory from classloader com.aveksa.client.datacollector.framework.CollectorClassLoader@1395c8ec 
[Root exception is javax.naming.CommunicationException: simple bind failed: 192.168.1.1:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]
...
Caused by: javax.naming.CommunicationException: simple bind failed: 192.168.1.1:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: .
	...
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target
	...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	..
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

A tcpdump packet trace of the SSL negotiation shows the SSL failure as Internal Error (80):
  
Secure Sockets Layer
    TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Internal Error)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Internal Error (80)

Cause

This issue may occur if the TLS 1.2 SSL handshake is unable to complete the negotiation of an acceptable cipher during the SSL handshake.   Specifically, the Internal Error (80) relates to a failure of the JDK shared libraries to support TLS 1.2 negotiation.  All current patches of RSA Identity Governance & Lifecycle have the ability to support TLS 1.2 SSL, but there are dependencies on the JDK version that is installed.  Without the appropriate JDK installed, the TLS 1.2 SSL negotiation may fail. 

Resolution

Ensure that you have applied the latest RSA Identity Governance & Lifecycle Java JDK upgrade that is included with the RSA Identity Governance & Lifecycle patch for your version.  Refer to the release notes for the patch for information on how to download and install the JDK upgrade. 
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 08:34 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.