Secure LDAP fails - No subject alternative DNS name matching XX.XX found
Article ID: 116938
Updated On:
Products
CA Process Automation Base
Issue/Introduction
While we were testing out processes that were migrated from our old environment which is 4.3.02 w/ Java 1.7.0_79 we couldn't communicate with AD on port 636. I followed the same process in the new envirionment to import the certificates into the jssecacerts file and updated c2osvcw.conf with the path and password and then restarted services. Communication refused to AD and the c2o.log file shows numerous references to the following error: Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching XX.XX found -- where XX.XX is the load balancer name for multiple Domain Controllers. It was confirmed with the Directory Services Team that each server only lists the servername in the Subject field of the local cert but does not contain an alternative DNS name with the load balancer name. The old version of Java does not seem to have this requirement. What do we need to update in the configuration files to prevent Java 1.8 from verifying host names?
Environment
CA Process Automation 4.3 SP03
Java 1.8 update 181
Windows OS
Java 1.8 update 181
Windows OS
Cause
There has been a change with Java for verification of the servernames. Because SubjectAltNames is not part of the certificate, there verification fails because it is only seeing the servername of the DC that the connection has been made with. For Java, the certificate shows the load balancer name.
Resolution
Adding -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true to c2osvcw.conf as a java option resolved the name verification issue for the load balanced DCs.
Stop the CA Process Automation service(s).
Open c2osvcw.conf located in /c2o/bin in a text editor
Scroll to the bottom of the file and add the line:
wrapper.java.additional.16=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
The number 16 above is an incremental number. If the last lines in the file are something like:
wrapper.java.additional.13=-server
wrapper.java.additional.14=-Xdebug
wrapper.java.additional.15=-Xrunjdwp:transport=dt_socket,address=2144,server=y,suspend=n
Adding this new line will be numbered "16". Make sure you verify the number or the application will not start correctly.
Stop the CA Process Automation service(s).
Open c2osvcw.conf located in /c2o/bin in a text editor
Scroll to the bottom of the file and add the line:
wrapper.java.additional.16=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
The number 16 above is an incremental number. If the last lines in the file are something like:
wrapper.java.additional.13=-server
wrapper.java.additional.14=-Xdebug
wrapper.java.additional.15=-Xrunjdwp:transport=dt_socket,address=2144,server=y,suspend=n
Adding this new line will be numbered "16". Make sure you verify the number or the application will not start correctly.
Additional Information
For CA Process Automation installed on Linux, make the following change in c2osvrd.sh which is located in /usr/local/CA/PAM/server/c2o
In the section for SVRDEFINES="
The last line of the file section shows
-Duser.country="US""
Change this last line to
-Duser.country="US" \ (please note removal of the second double quotation, a space then the backslash)
Then add the following line below that
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification="true"" (please note two double quotation marks to close the section properly)
The last two lines should look like:
-Duser.country="US" \-Dcom.sun.jndi.ldap.object.disableEndpointIdentification="true""
Feedback
Yes
No
Powered by
