Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14986

AM Cannot connect to TLSv1.2 DJ server (production mode) after JDK 8 update 192



    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.5.1, 6.0.0,,,,,,
    • 13.5.3, 14.1.2, 6.0.1, 5.5.2
    • idrepo
    • Rank:
    • AM Sustaining Sprint 64, AM Sustaining Sprint 65
    • 3
    • No
    • No
    • Yes and I used the same an in the description


      Bug description

      AM6.0.0.x is unable to connect to a DS6 production mode directory using latest JDK8 (> u192)

      How to reproduce the issue

      1. Setup an external DS6 production mode directory
      2. Import the SSL cert to the AM JDK truststore
      3. Configure AM 6.0.0.x with a new DataStore (LDAPS)
      4. Check the Admin page for the Identities
      5. If using JDK 8 < update 192 it works but after JDK 8u192 things break
      6. AM6.5/6.5.1 is not affected (due to use of DS6.5 libraries)
      Expected behaviour
      Identities can be seen
      Current behaviour
      No identities seen

      This issue is not seen on AM6.5.0 and AM 6.5.1

      Work around

      Add more ciphers to the DJ server (ie: mostly non TLSv1.2 ciphers)
      It seems that the TLSv1.2 protocol is not working and so one may need to
      ensure TLSv1.1 ciphers needs to be available. It seems the ECDH*-GCM is not available with the DJ client and so adding some ECDHE*RSA*CBC will help.


      It seems TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA seems to work (to add to the LDAPS ciphers needed)


      The same system work before JDK8u192 and so a rollback to use earlier JDK version is also possible also

      Code analysis

      When in production mode the set of DJ server cipher suites are

      supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

      but from trace the LDAP client does not have these set of ciphers.

      This is causes by OPENDJ-5553 (or a related fix from this may be needed) and AM 6.0.x uses DJ6.0.0.x which have this issue.
      This issue is related to be seen also in OPENAM-14669. Note that OPENAM-14669 does not resolve this as it is applies to ssoadm but the same issue arises.


          Issue Links



              kamal.sivanandam@forgerock.com Kamal Sivanandam
              chee-weng.chea C-Weng C
              0 Vote for this issue
              9 Start watching this issue