search cancel

JCS unable to connect to a DYN LDAP over SSL

book

Article ID: 201580

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

A custom DYN LDAP endpoint type connector has been created.

When attempting to connect to the endpoint, the following error is observed in jcs_daily.log

2020-10-15 16:20:36,894 313011 [ApacheDS Worker-thread-14] ldap1_test1 (BaseConnector.java:599) ERROR  - eTDYNDirectoryName=test1,eTNamespaceName=ldap1,dc=im,dc=etasa: failed to connect to managed system
javax.naming.CommunicationException: simple bind failed: ldap1.dom.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
..
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
 at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)[:1.8.0_60]
 at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)[:1.8.0_60]
 at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)[:1.8.0_60]
 at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)[:1.8.0_60]
 at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)[:1.8.0_60]
 at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)[:1.8.0_60]
 at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426)[:1.8.0_60]
 at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399)[:1.8.0_60]
 at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)[:1.8.0_60]
 at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)[:1.8.0_60]
 ... 71 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
 at sun.security.ssl.InputRecord.read(InputRecord.java:505)[:1.8.0_60]
 at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)[:1.8.0_60]
 ... 80 more

Cause

Default security protocol used by the JCS rejected by the endpoint

Environment

Release : 14.x

Component : IdentityMinder(Identity Manager)

Resolution

Disable the security protocol not supported / reject by the endpoint.

1. Open the java.security file, which is available at the following location:
    ConnectorServer/jvm/lib/security/

2.  Add SSLv2Hello to the jdk.tls.disabledAlgorithm parameter:
    jdk.tls.disabledAlgorithms = SSLv3, SSLv2Hello, ECDH, ECDHE, RC4, DH keySize < 768

3. Restart the JCS service

Additional Information

Further information about TLS configuration can be found in https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/reference/advanced-configuration-options/domain-configuration/tls-configuration.html#concept.dita_5a99004c2006c1391c8e361760325fb57fe2f0a3_DisableTLSv10andTLSv11forJCSLDAPServer

For additional SSL related troubleshooting, we can enable SSL related logging for the JCS service.

In Windows based deployment, this is done by editing the registry and adding

-Djavax.net.debug=ssl:handshake:verbose

to the startup parameter via the registry key Options

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ComputerAssociates\Identity Manager\Procrun 2.0\im_jcs\Parameters\Java

In Linux based deployment, this is done by adding -Djavax.net.debug=ssl:handshake:verbose to  ../bin/im_jcs

The jcs_service_stdout.log should include additional SSL related details which could be used for troubleshooting

Other Useful Links:

https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html

https://access.redhat.com/solutions/973783

 

Attachments