VMware Smart Assurance NCM: LDAP authentication over SSL fails with error "No subject alternative names matching IP address x.x.x.x found"
search cancel

VMware Smart Assurance NCM: LDAP authentication over SSL fails with error "No subject alternative names matching IP address x.x.x.x found"

book

Article ID: 345336

calendar_today

Updated On:

Products

VMware

Issue/Introduction

Symptoms:

Configured LDAP with steps listed at https://docs.vmware.com/en/VMware-Smart-Assurance/10.1.4/ncm-installation-guide-1014/GUID-3AB52B96-A1C9-44E1-84C9-24A521E63C39.html

Login to NCM with LDAP user fails & $VOYENCE_HOME/ncmcore/logs/powerup.log has following error:
2020-02-28 20:53:44,696 DEBUG [com.powerup.configmgr.server.config.impl.SystemConfig] (http-nio-8881-exec-8) Getting user supplied value for config.security.ldap-auth: 0.ldap.server.securityprotocol
2020-02-28 20:53:44,696 DEBUG [com.powerup.configmgr.server.security.impl.LDAPAuthenticator] (http-nio-8881-exec-8) Using security protocol property in the context - ssl
2020-02-28 20:53:44,696 DEBUG [com.powerup.configmgr.server.security.impl.LDAPAuthenticator] (http-nio-8881-exec-8) Getting context for principal = CN=Admin,CN=Users,DC=testdomain,DC=org
2020-02-28 20:53:44,696 ERROR [com.powerup.configmgr.server.security.impl.LDAPAuthenticator] (http-nio-8881-exec-8) Naming exception
javax.naming.CommunicationException: x.x.x.x:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address x.x.x.x found]
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address x.x.x.x found


Environment

VMware Smart Assurance - NCM

Cause

Refer https://www.oracle.com/java/technologies/javase/8u181-relnotes.html for details. Snippet of information from the above link as below:

From Java version 8 update 181, to improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.

Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.

Define this system property (or set it to true) to disable endpoint identification algorithms.

Resolution

Follow the below steps in NCM Application Server / Combination Server:

a) Execute: service vcmaster stop
b) Take a back up of /etc/init.d/ncm-as file.
c) Open the file /etc/init.d/ncm-as and add the flag -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true in CATALINA_OPTS before end of the quotes. Save and close the file.
d) Execute: service vcmaster start


Powered by Wolken Software