-
Type:
Bug
-
Status: Resolved
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 6.5.0.1
-
Component/s: ssoadm
-
Labels:
-
Environment:AM 6.5.0.1, DS 6.5.0, AM-SSOAdminTools 5.1.2.2
Oracle OpenJDK 1.8.192 and above
Bug description
Trying to install ssoadm with Oracle OpenJDK 1.8.192 and above, this include Java 11, you get the following error message:
OpenDJ LDAP SDK Grizzly selector thread(1) SelectorRunner, WRITE: TLSv1.2 Handshake, length = 172
Connect Error: No operational connection factories available
Using SSL debugging I see in the DS server.out log that there are no cipher suites in common:
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1536504531 bytes = { 22, 164, 124, 160, 118, 208, 96, 164, 233, 218, 251, 10, 43, 2, 54, 153, 73, 185, 95, 41, 162, 111, 115, 198, 154, 108, 87, 191 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA]
_Compression Methods:
{ 0 }_
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=openam65.example.com]
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-7, SSL_NULL_WITH_NULL_NULL]
LDAPS 0.0.0.0 port 40636(2) SelectorRunner, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-7, SSL_NULL_WITH_NULL_NULL]
LDAPS 0.0.0.0 port 40636(2) SelectorRunner, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
LDAPS 0.0.0.0 port 40636(2) SelectorRunner, WRITE: TLSv1.2 Alert, length = 2
LDAPS 0.0.0.0 port 40636(2) SelectorRunner, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
Using SSLEngineImpl.
Using SSLEngineImpl.
This is happening when the AM configuration store DS instance is installed using production mode, which limits the number of available ciphers. Ironically there are no issues with AM or DS command line tools like ldapsearch.
How to reproduce the issue
__ 1. Install DS 6.5.0 using configuration and CTS store profiles along with production mode.
2. Install and configure AM 6.5.0.1 using the external DS as the config/cts stores and use secure connections, i.e. HTTPS. You will also have to import the DS server cert into the JVM truststore.
3. Attempt to install ssoadm
Expected behaviour
ssoadm will get installed successfully
Current behaviour
installation fails with OpenDJ LDAP SDK Grizzly selector thread(1) SelectorRunner, WRITE: TLSv1.2 Handshake, length = 172 Connect Error: No operational connection factories available
Work around
None
- is caused by
-
OPENDJ-5553 Rest2Ldap cannot connect to TLSv1.2 servers
-
- Done
-
- is related to
-
OPENAM-14986 AM Cannot connect to TLSv1.2 DJ server (production mode) after JDK 8 update 192
-
- Resolved
-
-
OPENAM-14714 SSOADM will not work with JDK7 when config store DS is in production mode.
-
- Resolved
-