Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-13984

Upgrade/Install Document need for stricter Hostname Matching for LDAP certificates



    • Rank:
    • 2018.11 - Docs 6.5
    • No
    • No
    • No
    • No (add reasons in the comment)


      Bug description

      Multiple reports for when upgrading from 13x to 6 failing with increased security around DNS Name Matching for LDAP connections

      How to reproduce the issue

      1. Install certificates that function in AM 13 
      2. Upgrade and see if these certificates fail if they do not match the DNS name exactly. 
      Expected behaviour
      If configuration was functioning before, after the upgrade customer would expect to still be able to connect to LDAPS. 
      Current behaviour
      There is no specific Upgrade or Install step to warn for this requirement/change. 

      Work around

      We tried the following Java property:com.sun.jndi.ldap.object.disableEndpointIdentification

      This didn't seem to change the behavior so doesn't seem valid, appears to be Code change and not underlying Java JDK change.

      Code analysis

      It's required that the certificate hostname match:
      This is a bit buried in the Admin guide, If there is a change this should be called out when upgrading as a consideration, or a security advisory.

      Failures in Configuration store will appear to be :
      ERROR: Unable to parse product versions for comparison; Current: null war: ForgeRock Access Management Build 70748811ef (2018-October-12 05:22)

      This is caused by:
      ERROR: SMSEntry: Unable to initalize(exception):
      SMSException Exception Code:5
      Message:Unexpected LDAP exception occurred.
      The lower level exception message
      Connect Error: No operational connection factories available

      Caused by: Connect Error: The LDAP connection has failed because an error occurred during the SSL handshake: java.security.cert.CertificateException: No subject alternative DNS name matching HOSTNAME found.
       at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:206)
       at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:144)
       at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:113)
       at org.forgerock.opendj.grizzly.GrizzlyLdapSocketConnector$CompletionHandlerAdapter$1.failed(GrizzlyLdapSocketConnector.java:274)
       ... 23 more
      Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

      Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching HOSTNAME found.





            cristina.herraz Cristina Herraz [X] (Inactive)
            william.hepler William Hepler
            0 Vote for this issue
            6 Start watching this issue