Footprints 20.x - Unable to make LDAPS connection (636) using IP Address of LDAP server

Manage Support IDs

Use checkboxes to 'Remove support IDs/Users' or 'Allow to create Cases'
Support IDs for BMC Customer Support Site Guest User
Profiles Which Include    Back to All Support IDs
 

Knowledge Article

Footprints 20.x - Unable to make LDAPS connection (636) using IP Address of LDAP server
Footprints 20.x - Unable to make LDAPS connection (636) using IP Address of LDAP server
FootPrints
FootPrints
FootPrints 20.x
FootPrints
FootPrints
FootPrints 20.x
Due to security enhancement by JAVA , we are getting an error message when trying to connect to LDAPS server (636) using the IP address of LDAP server.


Error Found on the Footprints logs

ERROR|2020-02-13T09:50:30.780|EST|SERVER|http-nio-8080-exec-10|*.application.web.spring.ExtExceptionResolver.resolveException()|||An error occurred while processing web request [Log Entry ID: 4328dc0e-b669-4bb5-ab7f-a7fc0eaa7721]|
* Stack Trace Summary: 
  - com.numarasoftware.footprints.core.externaldata.ExternalDataServiceException : Invalid LDAP connection parameters. [Infrastructure.Network.009]
        at com.numarasoftware.footprints.core.externaldata.LdapConnector.openLdapConnection(LdapConnector.java:706)
  - com.numarasoftware.footprints.infrastructure.utility.net.NetworkException : Invalid LDAP connection parameters. [Infrastructure.Network.009]
        at com.numarasoftware.footprints.infrastructure.utility.net.DefaultLdapConnectionManager.connect(DefaultLdapConnectionManager.java:199)
  - javax.naming.CommunicationException : simple bind failed: x.x.x.x:636
        at com.numarasoftware.footprints.infrastructure.utility.net.DefaultLdapConnectionManager.openLdapConnection(DefaultLdapConnectionManager.java:224)
  - javax.net.ssl.SSLHandshakeException : No subject alternative names present
        at com.numarasoftware.footprints.infrastructure.utility.net.DefaultLdapConnectionManager.openLdapConnection(DefaultLdapConnectionManager.java:224)
  - java.security.cert.CertificateException : No subject alternative names present
        at com.numarasoftware.footprints.infrastructure.utility.net.DefaultLdapConnectionManager.openLdapConnection(DefaultLdapConnectionManager.java:224)
|
com.numarasoftware.footprints.core.externaldata.ExternalDataServiceException: Invalid LDAP connection parameters.
    at com.numarasoftware.footprints.core.externaldata.LdapConnector.openLdapConnection(LdapConnector.java:706)
    at com.numarasoftware.footprints.core.externaldata.LdapConnector.getSchemaByBaseDn(LdapConnector.java:192)
    at com.numarasoftware.footprints.core.externaldata.LdapConnector.getSchema(LdapConnector.java:162)
    at com.numarasoftware.footprints.core.externaldata.DefaultExternalDataService.getSchema(DefaultExternalDataService.java:134)

Caused by: javax.naming.CommunicationException: simple bind failed: x.x.x.x:636 [Root exception is javax.net.ssl.SSLHandshakeException: No subject alternative names present]
    at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
    at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795)
    at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
    at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:225)
    at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189)
    at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:243)
    at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
    at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
    at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730)
    at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
    at java.naming/javax.naming.InitialContext.init(InitialContext.java:236)
    at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
    at com.numarasoftware.footprints.infrastructure.utility.net.DefaultLdapConnectionManager.openLdapConnection(DefaultLdapConnectionManager.java:224)
    at com.numarasoftware.footprints.infrastructure.utility.net.DefaultLdapConnectionManager.connect(DefaultLdapConnectionManager.java:171)
    ... 110 more
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names present

Due to Oracle JAVA Security Changes, Endpoint identification has been enabled on LDAPS connections.

Solution:

Rather than using IP Address, the system needs to be configured with the fully qualified domain name (FQDN) name of LDAP server when configuring LDAP authentication to have more secure LDAPS connections.

Note: We do raised an idea on UI validation for this LDAP configuration page.

    Workaround If you need to use the IP Address 
    As per Oracle article:
    https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html

    To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.

    Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.Define this system property (or set it to true) to disable endpoint identification algorithms.

    Open the Tomcat8w,exe file from C:\Program Files\Apache Software Foundation\Tomcat 8.5\bin  (change path if needed)

    In the Java tab - Java Options 

    Add option below

    -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

    User-added image

    Click OK

    Restart Tomcat
     

    Additional information (Certification verification Method we have included in Footprints)

    1. Select LDAPS from the LDAP Security Type drop-down.
    2. Select how you wish to handle Certificate Verification. “Require” means that FootPrints will not connect to the remote LDAP server unless the server offers a certificate, which can be compared to the certificate uploaded by the administrator. If they are the same, the connection will be made. This is the most secure method. “Optional” also requires that a certificate be uploaded, but a comparison is only made if the server offers a certificate. In the absence of the server providing a certificate, the connection will be made. “None” means that no checking of a certificate will be required and therefore no certificate must be uploaded. Although the connection will be secured, there is no verification that FootPrints is connecting with the correct server.
    3. If selecting “Require” or “Optional” for Certificate Verification, either a previous certificate can be used or a new one uploaded. In either case, the certificate provided must be the certificate of the certificate authority ("CA") who signed the server's certificate in PEM (Base-64) format (this will be the server's own certificate if the certificate is self-signed) . The certificate can be in any directory on the FootPrints server and can have any name, so long as it is in pem format.
    FootPrints
    FootPrints
    FootPrints 20.x
    Attachment(s):