LDAP / AD connection issue with DE, SSLHandshakeException
search cancel

LDAP / AD connection issue with DE, SSLHandshakeException


Article ID: 226383


Updated On:


CA Workload Automation DE


DE (dSereies) is not able to connect to LDAP.  The logs show errors like these:

20XX-XX-XX_00:00:12.345] Unable to create LDAP agent with configuration: LdapServerConfiguration[configurationName=CORPAD, url=ldaps://corpad.example.com:636, adminId=ADMIN, SSLEnabled=true, trustStore=c:/Program Files/CA/WorkloadAutomation/.keystore, index=1]
javax.naming.CommunicationException: simple bind failed: corpad.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching CORPAD found.]at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2897)



Release : 12.x

Component : Workload Automation DE (ESP dSeries)


Newer JRE 8 builds now require SubjectAltNames as part of the certificate.  The SubjectALtNames must match the LDAP host and domain.  If the verification fails the SSL handshake will not proceed.  The DE server will not able to connect LDAP /AD using LDAPS.  


Generate a new certificate for LDAP that has proper SubjectAltNames.



Additional Information

Users may add the following property in the server.properties file for DE (dSeries).  However, it is strongly recommended to fix the certificate.  The following may only be used for short-term or non-prod purposes.  Bypassing the security is not recommended and future updates of JRE and DE may not support or work with this property enabled.


Edit startServer under bin in Linx/UNIX and add at the end of ARGS section.

ARGS=" -Xms${MIN_HEAP_SIZE}m -Xmx${MAX_HEAP_SIZE}m -Duser.dir=${CAWA_HOME} -Dserver.pidfile=${PID_FILE} -Duser.language=en -Dlog4j.configuration=file:///${CAWA_HOME}/conf/server.log4j.xml -Dlog.directory=${CAWA_HOME}/logs -Dlax.root.install.dir=${CAWA_HOME}/ -Dlog4j.configuratorClass=com.ca.wa.core.engine.log.LogConfigurator -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"

In Windows, edit startServer.lax in bin, add above parameter in "LAX.NL.JAVA.OPTION.ADDITIONAL" section.

Restart the DE server.