Due to security enhancement by JAVA , we are getting an error message when trying to connect to LDAPS server (636) using the IP address of LDAP server. Error Found on the Footprints logs ERROR|2020-02-13T09:50:30.780|EST|SERVER|http-nio-8080-exec-10|*.application.web.spring.ExtExceptionResolver.resolveException()|||An error occurred while processing web request [Log Entry ID: 4328dc0e-b669-4bb5-ab7f-a7fc0eaa7721]| * Stack Trace Summary: - com.numarasoftware.footprints.core.externaldata.ExternalDataServiceException : Invalid LDAP connection parameters. [Infrastructure.Network.009] at com.numarasoftware.footprints.core.externaldata.LdapConnector.openLdapConnection(LdapConnector.java:706) - com.numarasoftware.footprints.infrastructure.utility.net.NetworkException : Invalid LDAP connection parameters. [Infrastructure.Network.009] at com.numarasoftware.footprints.infrastructure.utility.net.DefaultLdapConnectionManager.connect(DefaultLdapConnectionManager.java:199) - javax.naming.CommunicationException : simple bind failed: x.x.x.x:636 at com.numarasoftware.footprints.infrastructure.utility.net.DefaultLdapConnectionManager.openLdapConnection(DefaultLdapConnectionManager.java:224) - javax.net.ssl.SSLHandshakeException : No subject alternative names present at com.numarasoftware.footprints.infrastructure.utility.net.DefaultLdapConnectionManager.openLdapConnection(DefaultLdapConnectionManager.java:224) - java.security.cert.CertificateException : No subject alternative names present at com.numarasoftware.footprints.infrastructure.utility.net.DefaultLdapConnectionManager.openLdapConnection(DefaultLdapConnectionManager.java:224) | com.numarasoftware.footprints.core.externaldata.ExternalDataServiceException: Invalid LDAP connection parameters. at com.numarasoftware.footprints.core.externaldata.LdapConnector.openLdapConnection(LdapConnector.java:706) at com.numarasoftware.footprints.core.externaldata.LdapConnector.getSchemaByBaseDn(LdapConnector.java:192) at com.numarasoftware.footprints.core.externaldata.LdapConnector.getSchema(LdapConnector.java:162) at com.numarasoftware.footprints.core.externaldata.DefaultExternalDataService.getSchema(DefaultExternalDataService.java:134) Caused by: javax.naming.CommunicationException: simple bind failed: x.x.x.x:636 [Root exception is javax.net.ssl.SSLHandshakeException: No subject alternative names present] at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219) at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795) at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl(LdapCtxFactory.java:225) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:189) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:243) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at java.naming/javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:730) at java.naming/javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at java.naming/javax.naming.InitialContext.init(InitialContext.java:236) at java.naming/javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154) at com.numarasoftware.footprints.infrastructure.utility.net.DefaultLdapConnectionManager.openLdapConnection(DefaultLdapConnectionManager.java:224) at com.numarasoftware.footprints.infrastructure.utility.net.DefaultLdapConnectionManager.connect(DefaultLdapConnectionManager.java:171) ... 110 more Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names present |
Due to Oracle JAVA Security Changes, Endpoint identification has been enabled on LDAPS connections.Solution: As per Oracle article: https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default. Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: Additional information (Certification verification Method we have included in Footprints)
|