Multiple reports for when upgrading from 13x to 6 failing with increased security around DNS Name Matching for LDAP connections
- Install certificates that function in AM 13
- Upgrade and see if these certificates fail if they do not match the DNS name exactly.
We tried the following Java property:com.sun.jndi.ldap.object.disableEndpointIdentification
This didn't seem to change the behavior so doesn't seem valid, appears to be Code change and not underlying Java JDK change.
It's required that the certificate hostname match:
This is a bit buried in the Admin guide, If there is a change this should be called out when upgrading as a consideration, or a security advisory.
Failures in Configuration store will appear to be :
ERROR: Unable to parse product versions for comparison; Current: null war: ForgeRock Access Management 18.104.22.168 Build 70748811ef (2018-October-12 05:22)
This is caused by:
ERROR: SMSEntry: Unable to initalize(exception):
SMSException Exception Code:5
Message:Unexpected LDAP exception occurred.
The lower level exception message
Connect Error: No operational connection factories available
Caused by: Connect Error: The LDAP connection has failed because an error occurred during the SSL handshake: java.security.cert.CertificateException: No subject alternative DNS name matching HOSTNAME found.
... 23 more
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching HOSTNAME found.