[OPENAM-14986] AM Cannot connect to TLSv1.2 DJ server (production mode) after JDK 8 update 192 Created: 28/May/19  Updated: 20/Apr/20  Resolved: 18/Oct/19

Status: Resolved
Project: OpenAM
Component/s: idrepo
Affects Version/s: 5.5.1, 6.0.0,,,,,,
Fix Version/s: 13.5.3, 14.1.2, 6.0.1, 5.5.2

Type: Bug Priority: Major
Reporter: C-Weng C Assignee: Kamal Sivanandam
Resolution: Fixed Votes: 0
Labels: EDISON
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
duplicates OPENAM-15550 Limiting OpenAM to TLSv1.2 with java.... Resolved
is caused by OPENDJ-5553 Rest2Ldap cannot connect to TLSv1.2 s... Done
relates to OPENAM-14669 ssoadm does not install using Java 1.... Resolved
is related to OPENDJ-4341 setup with production mode with java 9 Done
Target Version/s:
Rank: 1|hzxs4v:
Sprint: AM Sustaining Sprint 64, AM Sustaining Sprint 65
Story Points: 3
Support Ticket IDs:
Verified Version/s:
Needs QA verification:
Functional tests:
Are the reproduction steps defined?:
Yes and I used the same an in the description


Bug description

AM6.0.0.x is unable to connect to a DS6 production mode directory using latest JDK8 (> u192)

How to reproduce the issue

  1. Setup an external DS6 production mode directory
  2. Import the SSL cert to the AM JDK truststore
  3. Configure AM 6.0.0.x with a new DataStore (LDAPS)
  4. Check the Admin page for the Identities
  5. If using JDK 8 < update 192 it works but after JDK 8u192 things break
  6. AM6.5/6.5.1 is not affected (due to use of DS6.5 libraries)
Expected behaviour
Identities can be seen
Current behaviour
No identities seen

This issue is not seen on AM6.5.0 and AM 6.5.1

Work around

Add more ciphers to the DJ server (ie: mostly non TLSv1.2 ciphers)
It seems that the TLSv1.2 protocol is not working and so one may need to
ensure TLSv1.1 ciphers needs to be available. It seems the ECDH*-GCM is not available with the DJ client and so adding some ECDHE*RSA*CBC will help.


It seems TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA seems to work (to add to the LDAPS ciphers needed)


The same system work before JDK8u192 and so a rollback to use earlier JDK version is also possible also

Code analysis

When in production mode the set of DJ server cipher suites are

supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

but from trace the LDAP client does not have these set of ciphers.

This is causes by OPENDJ-5553 (or a related fix from this may be needed) and AM 6.0.x uses DJ6.0.0.x which have this issue.
This issue is related to be seen also in OPENAM-14669. Note that OPENAM-14669 does not resolve this as it is applies to ssoadm but the same issue arises.

Comment by Ľubomír Mlích [ 06/Sep/19 ]

Reproduced in ForgeRock Access Management 5.5.1 Build 96b47ad4f1 (2017-October-26 15:41)
Verified as fixed in ForgeRock Access Management 5.5.2-M7 Build 965200a558 (2019-August-20 08:11)

I used different reproduction steps:

  1. configure DS in production mode
  2. install AM with external DS (using configurator or web UI)

Installation failed with "invalid suffix"in both cases, I was able to use workaround, installation worked after adding TLS 1.1 and cipher above. Now it works without workaround.

Generated at Mon Mar 01 22:39:14 UTC 2021 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.