Can not log into ROC 6.7 after upgrade
Article ID: 185500
Updated On:
Products
Issue/Introduction
We have upgraded our Nolio Release Automation server from 6.6 to 6.7. After completing the upgrade we are able to login with the superuser id/password. But we cannot login with any of our LDAP/AD users.
When trying to login with an LDAP/AD user it generates the following error
HTTP Status 500 - simple bind failed: <ldap server name>:636; nested exception is javax.naming.CommunicationException: simple bind failed: <ldap server name>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <ldap server name> found.]
type Exception report
message simple bind failed: <ldap server name>:636; nested exception is javax.naming.CommunicationException: simple bind failed: <ldap server name>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <ldap server name> found.]
description The server encountered an internal error that prevented it from fulfilling this request.
exception
org.springframework.ldap.CommunicationException: simple bind failed: <ldap server name>:636; nested exception is javax.naming.CommunicationException: simple bind failed: <ldap server name>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <ldap server name> found.]
root cause
javax.naming.CommunicationException: simple bind failed: <ldap server name>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <ldap server name> found.]
root cause
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <ldap server name> found.
root cause
java.security.cert.CertificateException: No subject alternative DNS name matching <ldap server name> found.
Environment
Release : 6.7
Component : Nolio Release Automation Release Operations Center
Cause
One of them is the fact that Nolio Release Automation was configured to use an LDAP/AD server over SSL (LDAPS). If it weren't configured to use LDAPS (ldap over ssl) then this error would not occur. However, that would mean that all of the users that log into the Nolio RA server would have their username and passwords sent (from the Nolio RA server to the LDAP server) over clear text. So ldap over ssl is ideal.
Another key item is that Nolio RA is likely configured to point to a server alias - not the actual/physical server. This is why
The other key item causing this is the version of OpenJDK being used by Nolio RA. In version 6.6.0 it used Oracle Java 1.8.0_u162. Version 6.7.0 of Nolio RA uses OpenJDK 1.8.0_u232. This was not an issue with Java 1.8.0_u162. It did not become an issue until 1.8.0_u181. Specifically, it was introduced by an update made in u181 to make things more secure as noted here:
https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html
Endpoint identification has been enabled on LDAPS connections.
To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.
Define this system property (or set it to true) to disable endpoint identification algorithms.
Resolution
Option 1:
Configure Nolio RA to communicate directly with the LDAP/AD server - not the alias.
Option 2:
Update the certificate on the LDAP/AD server to include a Subject Alternative Name referencing the alias you are using in Nolio RA to communicate with that server/service.
Option 3:
Change the Nolio RA configuration to NOT communicate with your LDAP/AD server using ldap over ssl. This requires you do deselect the SSL checkbox and to also specify a non-ldaps port (often port 389).
Option 4:
Update Nolio RA startup files to disable endpoint identification. The steps for this vary depending on whether your Nolio RA server is on Windows or Linux. See additional information for more details.
Additional Information
Here are the steps you can take to disable endpoint identification on Windows:
- Stop NolioServer service.
- Create a backup of your RA_HOME\bin\NolioService.bat
- Open NolioService.bat and change:
From:
"%EXECUTABLE%" //US//%SERVICE_NAME% --JvmOptions "-Dcatalina.base=%CATALINA_BASE%;-Dcatalina.home=%CATALINA_HOME%;-Djava.endorsed.dirs=%CATALINA_HOME%\endorsed;-Duser.country=US;-Duser.language=en;-Djava.library.path=%CATALINA_BASE%\bin" --StartMode jvm --StopMode jvm --Startup auto --StartPath "%CATALINA_HOME%"
To:
"%EXECUTABLE%" //US//%SERVICE_NAME% --JvmOptions "-Dcatalina.base=%CATALINA_BASE%;-Dcatalina.home=%CATALINA_HOME%;-Djava.endorsed.dirs=%CATALINA_HOME%\endorsed;-Duser.country=US;-Duser.language=en;-Djava.library.path=%CATALINA_BASE%\bin;-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true" --StartMode jvm --StopMode jvm --Startup auto --StartPath "%CATALINA_HOME%"
- Save and close the file.
- Open a command prompt and cd to RA_HOME. Then run: nolio_server_remove_service.cmd
- Confirm the service has been removed from services.msc
- From the command prompt, run: nolio_server_install_service.cmd
- Start NolioServer service
Disable Endpoint Identification on Linux:
Here are the steps you can take to disable endpoint identification on Linux:
- Stop NolioServer service.
- Create a backup of your RA_HOME/bin/catalina.sh
- Open catalina.sh and change:
From:
JAVA_OPTS="$JAVA_OPTS -Duser.country=US -Duser.language=en"
To:
JAVA_OPTS="$JAVA_OPTS -Duser.country=US -Duser.language=en -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
- Save and close the file.
- Start NolioServer service
Feedback
