search cancel

Delay of 30 sec for ldaps connection via Xpress connecto JNDI Connector

book

Article ID: 243174

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

A custom JNDI connector is used for a specific password reset functionality - achieved by utilizing OpBinding.

The problem we encounter is that opening an ldaps connection takes exactly 30 seconds (very long time).

We analysed the network traces and found out that the custom connector presents a client certificate "eta_server" whose CN does not correspond to the name of the machine and the service account used.

We believe that the 30 second delay is caused by the presentation of a client certificate.

How can one avoid presenting a client certificate during SSL handchecking step from an Xpress connector JNDI.

 

Cause

Different behavior of socketFactory classes

Environment

Release : 14.x

Component : IdentityMinder(Identity Manager)

Resolution

Adjusting OpBinding code to utilize CustomSSLSocketFactory instead of the default socketFactory

- Adding line 1:
importClass(Packages.com.ca.commons.security.ssl.CustomSSLSocketFactory)
 
- after env.put(javax.naming.Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put("java.naming.ldap.factory.socket", "com.ca.commons.security.ssl.CustomSSLSocketFactory");

Additional Information

Background info as to why CustomSSLSocketFactory does not send the client certificate, CustomSSLSocketFactory has two different stores. The first is CAKeyStore, and the second is ClientCertKeyStore. CAkeystore holds all private/root/trusted certificates. ClientCertKeyStore, which stores client certificates, however, is NULL, so it will not send the client certificate even if requested.