We have been observing frequent alerts occurring approximately every hour following the successful import of SSL certificates to our application servers.

Upon reviewing the logs, we have identified occurrences of the following error:

javax.naming.CommunicationException

In addition, we are receiving the following alerts repeatedly via our mail distribution groups:

Unable to connect to LDAP server, configuration name: EXAMPLE-AD
Connection to LDAP server is established, configuration name: EXAMPLE-AD

Errors:

• 20250625 09:04:56.842 [ldap] [ERROR] WSS_cmd_executor_26011: [2025-06-25_09:04:56.842] RetryOperationException with agent LdapAgent[LdapServerConfiguration[configurationName=EXAMPLE-AD, url=ldaps://example.domain.com:3269, [email protected], SSLEnabled=true, trustStore=/opt/CA/WorkloadAutomation/cawa_ldap_truststore.jks, index=10], javax.naming.ldap.InitialLdapContext@2022f932]

com.ca.wa.core.engine.security.ldap.RetryOperationException: javax.naming.CommunicationException: example.domain.com:3269 [Root exception is javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching example.domain.com found.]


• 20250625 09:04:56.858 [essential] [INFO] WSS_cmd_executor_26011: [2025-06-25_09:04:56.857] New StatusMessage: [date: Wed Jun 25 09:04:56 PDT 2025, type: SNMP, description: "Cybermation ESP or ESPresso stop trap", variables: "Node name" = Unable to connect to LDAP server, configuration name: EXAMPLE-AD, cause: javax.naming.CommunicationException: example.domain.com:3269 [Root exception is javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching example.domain.com found.], "Node version" = 12.4.00.00, "Primary manager name and address" = null:null, "Node type" = ESP dSeries Workload Automation, "Extended status" = dseries.host.com:7500: LDAP connection status]

The root cause of the javax.naming.CommunicationException is an SSL/TLS certificate validation failure.

Specifically, the error message javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching example.domain.com found is the key.

This means:

1. Your dSeries server successfully made a network connection to an IP address resolved from example.domain.com on port 3269. This means it is NOT a firewall or server-down issue.
2. The connection started the secure SSL/TLS handshake process.
3. The LDAP server at that address presented its SSL certificate.
4. Your Java client (dSeries) inspected the certificate and performed a mandatory security check: "Does the hostname I was told to connect to (example.domain.com) match one of the official names listed inside this certificate?"
5. This check failed. The certificate does not contain the name example.domain.com in either its Common Name (CN) or, more importantly, its Subject Alternative Name (SAN) fields.

Thus, For security reasons, Java refuses to trust a certificate that isn't valid for the hostname it's connecting to. This prevents man-in-the-middle (MiTM) attacks, where you might be talking to an imposter server.

There are two primary ways to fix this, ordered from most secure and correct to least.

Solution 1: (Best Practice) Re-issue the LDAP Server Certificate

This is the most secure and proper solution. The team that manages the LDAP/Active Directory server (example.domain.com) needs to generate a new SSL certificate that correctly includes example.domain.com as a Subject Alternative Name (SAN).

Action Steps:

1. Contact your internal Infrastructure or Active Directory team.
2. Inform them that the SSL certificate for the LDAP service running on example.domain.com:3269 needs to be re-issued.
3. Specify that the new certificate must include example.domain.com as a DNS entry in the Subject Alternative Name (SAN) field.

This is the correct long-term fix as it aligns the server's identity with how clients are configured to access it.

Solution 2: (Client-Side Fix) Use the Correct Hostname in the Configuration

It's possible that example.domain.com is an alias or a CNAME, and the certificate was issued for the server's "real" canonical hostname (e.g., ad-example-server-01.americas.internal). If this is the case, you can fix this by changing the configuration on the client side.

Action Steps:

1. Inspect the existing certificate to find out what names it contains. You can do this from any machine with OpenSSL installed (like the WSS agent server itself):
   openssl s_client -connect example.domain.com:3269 -showcerts </dev/null 2>/dev/null | openssl x509 -noout -text | grep -E 'Subject:|DNS:'
   • Look at the output under Subject: for the CN= value.
   • Look at the output under X509v3 Subject Alternative Name: for all the DNS: values.
2. Identify a valid hostname from the list of DNS names in the certificate.
3. Update the dSeries LDAP configuration.
   • Go into your dSeries LDAP configuration for the EXAMPLE-AD LDAP connection.
   • Change the url parameter from ldaps://example.domain.com:3269 to ldaps://<valid_hostname_from_cert>:3269.
   • Important: Ensure the dSeries server can resolve this new hostname via DNS. You can test with ping <valid_hostname_from_cert>.
4. Restart the dSeries or reload the configuration for the change to take effect.