Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-5336

Dsreplication and control-panel connection fails with JVM 1.8.0_181

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.5.3
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Support Ticket IDs:

      Description

      Reported on OpenDJ 3.5.3, with JVM 1.8.0_181.
      (DS 5.x and later are not affected.)

      After moving to JVM 1.8.0_181:

      • logging in to control-panel fails:
        An error occurred connecting to the server. Details:
        javax.naming.CommunicationException: 0.0.0.0:4444 [Root exception is javax.net.ssl.SSLHandshakeException:
        java.security.cert.CertificateException: No subject alternative names present]

         

      • running dsreplication status with non-FQDN hostname fails:
      Unable to connect to the server at host1 on port 4444. Check this port is an administration port

      or

      Error reading data from server host1:4444. There is an error with the certificate presented by the server.
      Details: simple bind failed: host1:4444

       

      This is due to the following change in JVM 1.8.0_181:

      https://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html#R180_181

      Changes
      core-libs/javax.naming
      ➜ Improve LDAP support
      Endpoint identification has been enabled on LDAPS connections.
      To improve the robustness of LDAPS (secure LDAP over TLS ) connections, endpoint identification algorithms have been enabled by default.
      Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.
      Define this system property (or set it to true) to disable endpoint identification algorithms.
      

       

      Workaround:

      Set the above system property in the JVM args, e.g.

      (in config/java.properties)

      control-panel.java-args=... -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
      ...
      dsreplication.java-args=... -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

      And run bin/dsjavaproperties.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              wei-yee.lum Wei-Yee Lum
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated: