ssoadm does not install using Java 1.8.192 and above

Bug description

Trying to install ssoadm with Oracle OpenJDK 1.8.192 and above, this include Java 11, you get the following error message:

OpenDJ LDAP SDK Grizzly selector thread(1) SelectorRunner, WRITE: TLSv1.2 Handshake, length = 172

Connect Error: No operational connection factories available

Using SSL debugging I see in the DS server.out log that there are no cipher suites in common:

*** ClientHello, TLSv1.2

RandomCookie:  GMT: 1536504531 bytes = { 22, 164, 124, 160, 118, 208, 96, 164, 233, 218, 251, 10, 43, 2, 54, 153, 73, 185, 95, 41, 162, 111, 115, 198, 154, 108, 87, 191 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA]

_Compression Methods: 

_

Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA

Extension extended_master_secret

Extension server_name, server_name: [type=host_name (0), value=openam65.example.com]

Extension renegotiation_info, renegotiated_connection: <empty>

***

%% Initialized:  [Session-7, SSL_NULL_WITH_NULL_NULL]

LDAPS 0.0.0.0 port 40636(2) SelectorRunner, fatal error: 40: no cipher suites in common

javax.net.ssl.SSLHandshakeException: no cipher suites in common

%% Invalidated:  [Session-7, SSL_NULL_WITH_NULL_NULL]

LDAPS 0.0.0.0 port 40636(2) SelectorRunner, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure

LDAPS 0.0.0.0 port 40636(2) SelectorRunner, WRITE: TLSv1.2 Alert, length = 2

LDAPS 0.0.0.0 port 40636(2) SelectorRunner, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common

Using SSLEngineImpl.

Using SSLEngineImpl.

This is happening when the AM configuration store DS instance is installed using production mode, which limits the number of available ciphers. Ironically there are no issues with AM or DS command line tools like ldapsearch.

How to reproduce the issue

 __  1. Install DS 6.5.0 using configuration and CTS store profiles along with production mode.

  2. Install and configure AM 6.5.0.1 using the external DS as the config/cts stores and use secure connections, i.e. HTTPS. You will also have to import the DS server cert into the JVM truststore.

  3. Attempt to install ssoadm

Expected behaviour

ssoadm will get installed successfully 

Current behaviour

installation fails with OpenDJ LDAP SDK Grizzly selector thread(1) SelectorRunner, WRITE: TLSv1.2 Handshake, length = 172
Connect Error: No operational connection factories available

Work around

None