[OPENAM-13984] Upgrade/Install Document need for stricter Hostname Matching for LDAP certificates Created: 15/Nov/18  Updated: 21/Nov/18  Resolved: 16/Nov/18

Status: Resolved
Project: OpenAM
Component/s: documentation
Affects Version/s: 6.0.0.5, 6.5.0
Fix Version/s: 6.0.0, 6.5.0

Type: Bug Priority: Major
Reporter: William Hepler Assignee: Cristina Herraz
Resolution: Fixed Votes: 0
Labels: AME, SHAKESPEARE
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Sprint: 2018.11 - Docs 6.5
Needs backport:
No
Support Ticket IDs:
Needs QA verification:
No
Functional tests:
No
Are the reproduction steps defined?:
No (add reasons in the comment)

 Description   

Bug description

Multiple reports for when upgrading from 13x to 6 failing with increased security around DNS Name Matching for LDAP connections

How to reproduce the issue

  1. Install certificates that function in AM 13 
  2. Upgrade and see if these certificates fail if they do not match the DNS name exactly. 
Expected behaviour
If configuration was functioning before, after the upgrade customer would expect to still be able to connect to LDAPS. 
Current behaviour
There is no specific Upgrade or Install step to warn for this requirement/change. 

Work around

We tried the following Java property:com.sun.jndi.ldap.object.disableEndpointIdentification

This didn't seem to change the behavior so doesn't seem valid, appears to be Code change and not underlying Java JDK change.

Code analysis

It's required that the certificate hostname match:
https://backstage.forgerock.com/docs/ds/6/admin-guide/#generating-and-signing-certs
This is a bit buried in the Admin guide, If there is a change this should be called out when upgrading as a consideration, or a security advisory.

Failures in Configuration store will appear to be :
ERROR: Unable to parse product versions for comparison; Current: null war: ForgeRock Access Management 6.0.0.5 Build 70748811ef (2018-October-12 05:22)

This is caused by:
ERROR: SMSEntry: Unable to initalize(exception):
SMSException Exception Code:5
Message:Unexpected LDAP exception occurred.
--------------------------------------------------
The lower level exception message
Connect Error: No operational connection factories available

Caused by: Connect Error: The LDAP connection has failed because an error occurred during the SSL handshake: java.security.cert.CertificateException: No subject alternative DNS name matching HOSTNAME found.
 at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:206)
 at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:144)
 at org.forgerock.opendj.ldap.LdapException.newLdapException(LdapException.java:113)
 at org.forgerock.opendj.grizzly.GrizzlyLdapSocketConnector$CompletionHandlerAdapter$1.failed(GrizzlyLdapSocketConnector.java:274)
 ... 23 more
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching HOSTNAME found.

 



 Comments   
Comment by Cristina Herraz [ 16/Nov/18 ]

As discussed, fixed for 6.5 and 6 for now. If later on there is news that this is required for other versions too, let us know.

Comment by Cristina Herraz [ 19/Nov/18 ]

That's a question for Gene Hirayama I don't really know

Generated at Sun Sep 27 23:33:32 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.