Environment
Self Service Password Reset
SSPR MSI and Appliance versions 4.4
SSPR WAR file version 4.x running Java v1.8u181 or later
JRE8u181
Situation
Unable to connect to LDAP (eDir) server after update from SSPR 4.3 to 4.4.
Cannot bind to LDAP
Invalid Certificate error returned when replacing certificate
Users receive the following error:
5017 ERROR_DIRECTORY_UNAVAILABLE (error connecting as proxy user: unable to create connection: unable to connect to any configured ldap url, last error: unable to bind to ldaps://mySSPRserver.example.com:636 as cn=MySSPRProxy,o=MyContainer reason: CommunicationException (mySSPRserver.example.com:636; java.security.cert.CertificateException: No name matching mySSPRserver.example.com found))
Deleting and reimporting the LDAP certificate does not help
Resolution
Replace any non-conforming LDAP server certificates. In other words, make sure the LDAP server certificate includes a DNS name in the subjectAltName field of the certificate that matches the FQDN of the SSPR server, for example, mySSPRserver.example.com.
WORKAROUNDS:
For War File installations of SSPR 4.3.0.4 or later:
1) Add the following Java command line option to the file that defines JAVA_OPTS in your environment :
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
For Window MSI installations of SSPR 4.4 or later:
1) Right click SSPR Service Manager -> Stop SSPR-service
2) Right click SSPR Service Manager -> Tomcat Info…
Click Java Tab
Add the following Java command to the Java Options: section
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Click OK
3) Right click SSPR Service Manager -> Start SSPR-service
Note: SSPR Service Manager is installed on Windows servers as part of the SSPR installation, and is launched automatically when Windows loads. It appears as an icon in the task bar, as shown below:
For Appliance installations of SSPR 4.4 or later:
Create:
/ssprConfig/java.vmoptions (the /ssprConfig directory is at the root of the drive; i.e. where you land with cd /)
And add contents:
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Restart appliance.
Cause
All Java versions 8u181 or greater have enabled LDAPS endpoint identification by default.
This security change will cause a connection failure for customers whose LDAP servers’ certificate does not properly contain a matching DNS name as part of the certificate, (i.e. If the customer’s LDAP certificates are not conforming to RFC 5280, Java will reject them by default).
Affected customers:
All 4.4. customers with non-conforming LDAP server certificates.
4.3.0.3 or later customers using the War file with non-conforming LDAP server certificates.
Additional Information
See the JDK 8u181 Update Release Notes at https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html
Improve LDAP support
Endpoint identification has been enabled on LDAPS connections.
To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.
Define this system property (or set it to true) to disable endpoint identification algorithms.