Affects Version/s: 5.5.1, 6.0.0, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199
AM6.0.0.x is unable to connect to a DS6 production mode directory using latest JDK8 (> u192)
- Setup an external DS6 production mode directory
- Import the SSL cert to the AM JDK truststore
- Configure AM 6.0.0.x with a new DataStore (LDAPS)
- Check the Admin page for the Identities
- If using JDK 8 < update 192 it works but after JDK 8u192 things break
- AM6.5/6.5.1 is not affected (due to use of DS6.5 libraries)
This issue is not seen on AM6.5.0 and AM 6.5.1
Add more ciphers to the DJ server (ie: mostly non TLSv1.2 ciphers)
It seems that the TLSv1.2 protocol is not working and so one may need to
ensure TLSv1.1 ciphers needs to be available. It seems the ECDH*-GCM is not available with the DJ client and so adding some ECDHE*RSA*CBC will help.
It seems TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA seems to work (to add to the LDAPS ciphers needed)
The same system work before JDK8u192 and so a rollback to use earlier JDK version is also possible also
When in production mode the set of DJ server cipher suites are
but from trace the LDAP client does not have these set of ciphers.
This is causes by
OPENDJ-5553 (or a related fix from this may be needed) and AM 6.0.x uses DJ6.0.0.x which have this issue.
This issue is related to be seen also in
OPENAM-14669. Note that OPENAM-14669 does not resolve this as it is applies to ssoadm but the same issue arises.