Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14669

ssoadm does not install using Java 1.8.192 and above

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 6.5.0.1
    • Fix Version/s: 6.5.1, 6.5.0.2, 14.1.2.3, 14.1.1.6
    • Component/s: ssoadm
    • Labels:
    • Environment:
      AM 6.5.0.1, DS 6.5.0, AM-SSOAdminTools 5.1.2.2
      Oracle OpenJDK 1.8.192 and above
    • Sprint:
      AM Sustaining Sprint 61
    • Story Points:
      5
    • Needs backport:
      No
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      Trying to install ssoadm with Oracle OpenJDK 1.8.192 and above, this include Java 11, you get the following error message:

      OpenDJ LDAP SDK Grizzly selector thread(1) SelectorRunner, WRITE: TLSv1.2 Handshake, length = 172

      Connect Error: No operational connection factories available

      Using SSL debugging I see in the DS server.out log that there are no cipher suites in common:

      *** ClientHello, TLSv1.2

      RandomCookie:  GMT: 1536504531 bytes = { 22, 164, 124, 160, 118, 208, 96, 164, 233, 218, 251, 10, 43, 2, 54, 153, 73, 185, 95, 41, 162, 111, 115, 198, 154, 108, 87, 191 }

      Session ID:  {}

      Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA]

      _Compression Methods: 

      { 0 }

      _

      Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}

      Extension ec_point_formats, formats: [uncompressed]

      Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA

      Extension extended_master_secret

      Extension server_name, server_name: [type=host_name (0), value=openam65.example.com]

      Extension renegotiation_info, renegotiated_connection: <empty>

      ***

      %% Initialized:  [Session-7, SSL_NULL_WITH_NULL_NULL]

      LDAPS 0.0.0.0 port 40636(2) SelectorRunner, fatal error: 40: no cipher suites in common

      javax.net.ssl.SSLHandshakeException: no cipher suites in common

      %% Invalidated:  [Session-7, SSL_NULL_WITH_NULL_NULL]

      LDAPS 0.0.0.0 port 40636(2) SelectorRunner, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure

      LDAPS 0.0.0.0 port 40636(2) SelectorRunner, WRITE: TLSv1.2 Alert, length = 2

      LDAPS 0.0.0.0 port 40636(2) SelectorRunner, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common

      Using SSLEngineImpl.

      Using SSLEngineImpl.

       

      This is happening when the AM configuration store DS instance is installed using production mode, which limits the number of available ciphers. Ironically there are no issues with AM or DS command line tools like ldapsearch.

      How to reproduce the issue

       __  1. Install DS 6.5.0 using configuration and CTS store profiles along with production mode.

        2. Install and configure AM 6.5.0.1 using the external DS as the config/cts stores and use secure connections, i.e. HTTPS. You will also have to import the DS server cert into the JVM truststore.

        3. Attempt to install ssoadm

      Expected behaviour
      ssoadm will get installed successfully 
      Current behaviour
      installation fails with OpenDJ LDAP SDK Grizzly selector thread(1) SelectorRunner, WRITE: TLSv1.2 Handshake, length = 172
      Connect Error: No operational connection factories available

      Work around

      None

      
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                kamal.sivanandam@forgerock.com Kamal Sivanandam
                Reporter:
                tom.jones Tom Jones
              • Votes:
                0 Vote for this issue
                Watchers:
                13 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: