We recently upgraded Spectrum and have SSL enabled for LDAP (LDAPS). We were able to log in successfully previous to the upgrade, but now we are not able to do so. We enabled "SSORB Security SP" debugging for OneClick Tomcat, and the debugging messages is showing a specific error:
Aug 28, 2019 10:25:32.488 - Connection Exception: javax.naming.CommunicationException: Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present]
Jan 06, 2021 10:04:05.424 - Connection problem: javax.naming.CommunicationException: javax.naming.CommunicationException: CORP.COM:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching CORP.COM found.]
Error can also be seen regarding ip address directly
Nov 18, 2021 14:20:01.643 - Connection Exception: javax.naming.CommunicationException: xx.xx.x.x:636 [Root exception is javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address xx.xx.x.x found]
Nov 18, 2021 14:20:01.643 - Connection problem: javax.naming.CommunicationException: SPC-OCA-10490: Could not connect to the external authentication server.
Component : Spectrum Core / SpectroSERVER
- Java update Java8U192
- This update now has a requirement for matching Subject Alternative Name in the SSL Certificate
- older Certs in use previously loaded in cacerts keystore may not have SAN - Subject Alternative Name, and will cause the error
To resolve this issue, it is recommended to have the Certificate Authority generate a new SSL Certificate which includes a SAN matching that of the LDAP server hostname
Verify the SAN is listed in the keystore of the LDAP server using open SSL (replace the ldap server name and port as necessary):
openssl s_client -showcerts -connect www.domain.com:443
This error can occur if the LDAP integration does not utilize referalls. Out of the box Spectrum is configured for LDAP referall to be "follow". Change this to "ignore" in the $SPECROOT/tomcat/webapps/spectrum/META-INF/context.xml. Cycle Tomcat.
There is also a workaround: Disable endpoint identification by setting the system property com.sun.jndi.ldap.object.disableEndpointIdentification = true
on Windows;
1. edit <SPECROOT>/tomcat/bin/OneClickServer.conf and add the following line:
jvm_opt=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
2. restart Tomcat
on Linux;
1. edit <SPECROOT>/tomcat/bin/catalina.sh and add the following to the JAVA_OPTS:
JAVA_OPTS="-DOneClick -server -Xmx4096M -XX:+HeapDumpOnOutOfMemoryError -Djava.awt.headless=true -Djavax.net.ssl.trustStore=$SPECROOT/custom/keystore/cacerts -Dfile.encoding=UTF-8 -Dcom.sun.management.jmxremote -Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=true -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
2. restart Tomcat
https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html?printOnly=1
In order to resolve the issue either:
Solution: Regenerate the LDAP server certificate so that the certificate's subject alternate name or certificate's subject name matches the LDAP server.
WorkAround: Disable endpoint identification by setting the system property com.sun.jndi.ldap.object.disableEndpointIdentification = true
The result is an SSLHandshake error because of a mismatch in certificates. There is a flag (com.sun.jndi.ldap.object.disableEndpointIdentification) to revert the behavior, but it makes for a less secure connection which is not recommend solution. IBM Recommend to fix certificate on LDAP server side.
Reference :
https://developer.ibm.com/answers/questions/475181/how-to-fix-this-ldap-ssl-error-javasecuritycertcer/
Alternative Error Message: "No subject alternative DNS name matching xxxxxxxxxxx.net found"