A deployment could hang indefinitely when:
The last point is of particular note, because it results in the hang appearing to be an intermittent issue. The deployment will run successfully when no round robin rotation occurs during deployment execution.
A key symptom that will occur in this scenario is the appearance of the following error in the NAC's nolio_dm_all.log:
[ContinueStageExecutionTask-54571] ERROR (com.nolio.platform.server.dataservices.services.auth.retrieval.authorization.NolioActiveDirectoryAuthorizationRetriever:68) - Error while trying to fetch users authorities from Active Directory using tokenGroups
javax.naming.CommunicationException: simple bind failed: abc.company.com:3269 [Root exception is javax.net.ssl.SSLHandshakeException: server certificate change is restricted during renegotiation]
Release Automation versions up to 6.5 use httpclient 4.3.2 with Java 1.8.073. A check feature was introduced in this version of Java and httpclient to address the Poodle vulnerability. The execution of the check will cause a deployment to hang if an IP address / SSL certificate rotation occurs during LDAP authentication.
Release: NOLNAC99000-6.1-Nolio-Automation Center
Component:
Product Development is reviewing this issue with Java and httpclient, but in the interim, the following workaround can be implemented to force Java and Tomcat to ignore the certificate change during a round robin rotation.
Edit the catalina.sh (Linux/Unix) or the catalina.bat (Windows) and add the following:
JVM_OPTS="$JVM_OPTS -Djdk.tls.allowUnsafeServerCertChange=true -Dsun.security.ssl.allowUnsafeRenegotiation=true"
Ensure that the above line is added before this line:
CATALINA_OPTS="$REMOTE_DEBUG $JVM_OPTS $AGENT_PATHS $JAVA_AGENTS $JAVA_LIBRARY_PATH"