SSL Handshake Error Running RoleDefGenerator.sh
search cancel

SSL Handshake Error Running RoleDefGenerator.sh

book

Article ID: 139834

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

After creating custom DYN Connector using Connector Xpress, I need to create Role Definition jar to be deployed on Identity Manager. However, when I run /opt/CA/Identity_Manager/IAM_Suite/Identity_Manager/tools/RoleDefinitionGenerator/bin/RoleDefGenerator.sh, i.e.

  # ./RoleDefGenerator.sh -d im -h <hostname> -u etaadmin <DYN Connector Name>

I got the following SSL Handshake exception:

com.ca.iam.model.IAMCommunicationException: javax.naming.CommunicationException: <hostname>:20390 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching <hostname> found]
         at com.ca.iam.model.impl.IAMServerImpl.namingExceptionToIAMException(IAMServerImpl.java:345)
         at com.ca.iam.model.impl.IAMServerImpl.translateNamingException(IAMServerImpl.java:380)
         at com.ca.iam.model.impl.ETAServer.init(ETAServer.java:92)
         at com.ca.iam.model.IAMServer.newInstance(IAMServer.java:545)
         at com.ca.iam.roledefgen.RoleDefGenerator.main(RoleDefGenerator.java:368)
 Caused by: javax.naming.CommunicationException: <hostname>:20390 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching <hostname> found]
         at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
         at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
         at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1615)
         at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
         at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
         at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
         at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
         at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
         at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
         at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
         at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
         at javax.naming.InitialContext.init(InitialContext.java:244)
         at javax.naming.InitialContext.<init>(InitialContext.java:216)
         at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
         at com.ca.commons.jndi.beans.ResilientDirContextFactory.testContexts(ResilientDirContextFactory.java:388)
         at com.ca.commons.jndi.beans.ResilientDirContextFactory.invoke(ResilientDirContextFactory.java:440)
         at com.sun.proxy.$Proxy25.search(Unknown Source)
         at com.ca.commons.jndi.beans.JNDIBeanStore$JNDIObjectProcessor.doSearch(JNDIBeanStore.java:1797)
         at com.ca.commons.jndi.beans.JNDIBeanStore.action(JNDIBeanStore.java:617)
         at com.ca.iam.model.impl.ETAServer.init(ETAServer.java:78)
         ... 2 more
 Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching <hostname> found
         at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
         at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
         at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
         at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
         at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
         at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
         at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
         at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
         at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
         at com.sun.jndi.ldap.Connection.createSocket(Connection.java:394)
         at com.sun.jndi.ldap.Connection.<init>(Connection.java:215)
         ... 21 more
 Caused by: java.security.cert.CertificateException: No name matching <hostname> found
         at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)
         at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
         at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)
         at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1026)
         at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:993)
         at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
         ... 30 more
 Nov 04, 2019 11:43:45 AM com.ca.iam.roledefgen.RoleDefGenerator main
 WARNING: com.ca.iam.model.IAMCommunicationException: javax.naming.CommunicationException: <hostname>:20390 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching <hostname> found]

Environment

Release:  14.3


Component: Identity Manager

Cause

The SSL Handshake exception is due to host validation failure, i.e. specified hostname doesn't match the Subject of Provisioning Server certificate.

Resolution

We can workaround by modifying the /opt/CA/Identity_Manager/IAM_Suite/Identity_Manager/tools/RoleDefinitionGenerator/bin/RoleDefGenerator.sh file adding 

     -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

parameter into systemProps variable.



Additional Information

Role Definition Generator
Powered by Wolken Software