A custom DYN LDAP endpoint type connector has been created.
When attempting to connect to the endpoint, the following error is observed in jcs_daily.log
2020-10-15 16:20:36,894 313011 [ApacheDS Worker-thread-14] ldap1_test1 (BaseConnector.java:599) ERROR - eTDYNDirectoryName=test1,eTNamespaceName=ldap1,dc=im,dc=etasa: failed to connect to managed system
javax.naming.CommunicationException: simple bind failed: ldap1.dom.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]
..
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)[:1.8.0_60]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)[:1.8.0_60]
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)[:1.8.0_60]
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)[:1.8.0_60]
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)[:1.8.0_60]
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)[:1.8.0_60]
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426)[:1.8.0_60]
at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399)[:1.8.0_60]
at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)[:1.8.0_60]
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)[:1.8.0_60]
... 71 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:505)[:1.8.0_60]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)[:1.8.0_60]
... 80 more
Release : 14.x
Component : IdentityMinder(Identity Manager)
Default security protocol used by the JCS rejected by the endpoint
Disable the security protocol not supported / reject by the endpoint.
1. Open the java.security file, which is available at the following location:
ConnectorServer/jvm/lib/security/
2. Add SSLv2Hello to the jdk.tls.disabledAlgorithm parameter:
jdk.tls.disabledAlgorithms = SSLv3, SSLv2Hello, ECDH, ECDHE, RC4, DH keySize < 768
3. Restart the JCS service
Further information about TLS configuration can be found in https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/reference/advanced-configuration-options/domain-configuration/tls-configuration.html#concept.dita_5a99004c2006c1391c8e361760325fb57fe2f0a3_DisableTLSv10andTLSv11forJCSLDAPServer
For additional SSL related troubleshooting, we can enable SSL related logging for the JCS service.
In Windows based deployment, this is done by editing the registry and adding
-Djavax.net.debug=ssl:handshake:verbose
to the startup parameter via the registry key Options
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ComputerAssociates\Identity Manager\Procrun 2.0\im_jcs\Parameters\Java
In Linux based deployment, this is done by adding -Djavax.net.debug=ssl:handshake:verbose to ../bin/im_jcs
The jcs_service_stdout.log should include additional SSL related details which could be used for troubleshooting
Other Useful Links:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html
https://access.redhat.com/solutions/973783