Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14986

AM Cannot connect to TLSv1.2 DJ server (production mode) after JDK 8 update 192

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1, 6.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.0.4, 6.0.0.5, 6.0.0.6
    • Fix Version/s: 13.5.3, 14.1.2, 6.0.1, 5.5.2
    • Component/s: idrepo
    • Labels:
    • Target Version/s:
    • Sprint:
      AM Sustaining Sprint 64, AM Sustaining Sprint 65
    • Story Points:
      3
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      No
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      AM6.0.0.x is unable to connect to a DS6 production mode directory using latest JDK8 (> u192)

      How to reproduce the issue

      1. Setup an external DS6 production mode directory
      2. Import the SSL cert to the AM JDK truststore
      3. Configure AM 6.0.0.x with a new DataStore (LDAPS)
      4. Check the Admin page for the Identities
      5. If using JDK 8 < update 192 it works but after JDK 8u192 things break
      6. AM6.5/6.5.1 is not affected (due to use of DS6.5 libraries)
      Expected behaviour
      Identities can be seen
      
      Current behaviour
      No identities seen
      

      This issue is not seen on AM6.5.0 and AM 6.5.1

      Work around

      Add more ciphers to the DJ server (ie: mostly non TLSv1.2 ciphers)
      It seems that the TLSv1.2 protocol is not working and so one may need to
      ensure TLSv1.1 ciphers needs to be available. It seems the ECDH*-GCM is not available with the DJ client and so adding some ECDHE*RSA*CBC will help.

       

      It seems TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA seems to work (to add to the LDAPS ciphers needed)

       

      The same system work before JDK8u192 and so a rollback to use earlier JDK version is also possible also

      Code analysis

      When in production mode the set of DJ server cipher suites are

      supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      

      but from trace the LDAP client does not have these set of ciphers.

      This is causes by OPENDJ-5553 (or a related fix from this may be needed) and AM 6.0.x uses DJ6.0.0.x which have this issue.
      This issue is related to be seen also in OPENAM-14669. Note that OPENAM-14669 does not resolve this as it is applies to ssoadm but the same issue arises.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                kamal.sivanandam@forgerock.com Kamal Sivanandam
                Reporter:
                chee-weng.chea C-Weng C
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: