ldap connection broken after applying API Gateway patch
book
Article ID: 115251
calendar_today
Updated On:
Products
STARTER PACK-7CA Rapid App SecurityCA API Gateway
Issue/Introduction
Once the update is applied, any API's that use the ldap host, the connection test in the identity provider window, and even logins to Policy Manager using ldap credentials will fail.
This is the output seen in ssg_0_0.log:
com.l7tech.server.identity.ldap.LdapUrlProviderImpl: Trying to recover using this url: ldaps://ldaphost_name:636 com.l7tech.server.identity.ldap.LdapIdentityProviderImpl: Could not establish context using LDAP URL ldaps://ldaphost_name:636. ldaphost_name:636. Caused by: No name matching ldaphost_name found
If additional SSL debugging was enabled and sent to a dedicated debug log on Gateway this is the output:
%% Invalidated: [Session-281, TLS_RSA_WITH_AES_256_CBC_SHA256] tomcat-exec-executor-497, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown tomcat-exec-executor-497, WRITE: TLSv1.2 Alert, length = 2 tomcat-exec-executor-497, called closeSocket() tomcat-exec-executor-497, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching ldaphost_name found
Environment
CA API Gateway 9.3 CR03 Any LDAP technology that requires certificate verification to connect to a secure port. This can also happen when applying the 9.2 CR10 patch.
Endpoint identification has been enabled on LDAPS connections.
To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default.
Resolution
This update to JDK essentially means that certificates require a common name for the endpoint to make a successful connection. This is accomplished by including Subject Alternative Names in the cert makeup. This would pass any and all common names (Not Ip addresses) that the certificate refers to as the "ldaphost_name". This includes aliases to load balancers. Unfortunately the Policy Manager for API Gateway 9.3 does not have the ability to add SAN's to a Certificate Signing Request. This would need to be done using another method like OpenSSL.
The workaround is to use the setting supplied in the java release notes.
For Gateway this would be adding the below line to /opt/SecureSpan/Gateway/runtime/etc/profile.d/ssgruntimedefs.sh
Oracle didn't fix a vulnerability but rather imposed a "secure by default" stance on identity verification (i.e. certificate verification). So using com.sun.jndi.ldap.object.disableEndpointIdentification flag does not impose any security regression on the deployment. However, it is a stronger security posture that Oracle is proposing and it requires the deployment to have tighter certificate management regime on the solution. The certificate provisioned to the ldap server has to have a matching common name that API Gateway is using to connect to the ldap server.