LDAP / AD connection issue with DE, SSLHandshakeException
search cancel

LDAP / AD connection issue with DE, SSLHandshakeException

book

Article ID: 226383

calendar_today

Updated On:

Products

CA Workload Automation DE

Issue/Introduction

DE (dSereies) is not able to connect to LDAP.  The logs show errors like these:

20XX-XX-XX_00:00:12.345] Unable to create LDAP agent with configuration: LdapServerConfiguration[configurationName=CORPAD, url=ldaps://corpad.example.com:636, adminId=ADMIN, SSLEnabled=true, trustStore=c:/Program Files/CA/WorkloadAutomation/.keystore, index=1]
javax.naming.CommunicationException: simple bind failed: corpad.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching CORPAD found.]at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
 at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2897)

 

Environment

Release : 12.x

Component : Workload Automation DE (ESP dSeries)

Cause

Newer JRE 8 builds now require SubjectAltNames as part of the certificate.  The SubjectALtNames must match the LDAP host and domain.  If the verification fails the SSL handshake will not proceed.  The DE server will not able to connect LDAP /AD using LDAPS.  

Resolution

Generate a new certificate for LDAP that has proper SubjectAltNames.

 

 

Additional Information

Users may add the following property in the server.properties file for DE (dSeries).  However, it is strongly recommended to fix the certificate.  The following may only be used for short-term or non-prod purposes.  Bypassing the security is not recommended and future updates of JRE and DE may not support or work with this property enabled.

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

Edit startServer under bin in Linx/UNIX and add at the end of ARGS section.

ARGS=" -Xms${MIN_HEAP_SIZE}m -Xmx${MAX_HEAP_SIZE}m -Duser.dir=${CAWA_HOME} -Dserver.pidfile=${PID_FILE} -Duser.language=en -Dlog4j.configuration=file:///${CAWA_HOME}/conf/server.log4j.xml -Dlog.directory=${CAWA_HOME}/logs -Dlax.root.install.dir=${CAWA_HOME}/ -Dlog4j.configuratorClass=com.ca.wa.core.engine.log.LogConfigurator -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"

In Windows, edit startServer.lax in bin, add above parameter in "LAX.NL.JAVA.OPTION.ADDITIONAL" section.

Restart the DE server.

 

Powered by Wolken Software