Environment
Identity Governance (Access Review) 3.5
Situation
During a new 3.5 install with a local OSP, pointing at an exisitng IDV ldap source you get the following error when viewing the OSP log with OSP debugging enabled.
"java.security.cert.CertificateException: No name matching error"
You may also see the following stack trace in the OSP logs:
"java.security.cert.CertificateException: No name matching error"
You may also see the following stack trace in the OSP logs:
reamble: [OIDP]
Priority Level: INFO
Java: internal.osp.oidp.service.oauth2.handler.WellKnown.addSupportedScopesAndClaims() [397] thread=http-nio-8080-exec-7
Time: 2019-01-03T08:28:36.993-0800
Log Data: Error obtaining schema for auth source 'bisadus: internal.atlaslite.jcce.ldap.jndi.JNDIExceptionLDAPServiceNotAvailable: No LDAP connection available.
internal.atlaslite.jcce.ldap.jndi.JNDIStore: JNDIStore.java: getIdentitySchema: 783
internal.osp.oidp.service.source.ldap.LDAPSource: LDAPSource.java: getNativeIdentitySchema: 970
internal.osp.oidp.service.source.DataSourceImpl: DataSourceImpl.java: getSchema: 615
internal.osp.oidp.service.source.ldap.LDAPAuthenticationSource: LDAPAuthenticationSource.java: getSchema: 455
internal.osp.oidp.service.oauth2.handler.WellKnown: WellKnown.java: addSupportedScopesAndClaims: 379
internal.osp.oidp.service.oauth2.handler.WellKnown: WellKnown.java: handle: 273
internal.osp.oidp.service.oauth2.handler.OAuth2Handler: OAuth2Handler.java: processRequest: 447
internal.osp.oidp.service.servlets.handler.AuthenticationServiceRequestHandler: AuthenticationServiceRequestHandler.java: handleRequest: 380
internal.osp.framework.handler.TenantRequestHandler: TenantRequestHandler.java: handleRequest: 155
internal.osp.framework.handler.OSPHandler: OSPHandler.java: handleRequest: 157
internal.osp.framework.servlet.OSPServlet: OSPServlet.java: process: 214
internal.osp.framework.servlet.OSPServlet: OSPServlet.java: doGet: 156
javax.servlet.http.HttpServlet: HttpServlet.java: service: 634
javax.servlet.http.HttpServlet: HttpServlet.java: service: 741
org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 231
org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 166
org.apache.tomcat.websocket.server.WsFilter: WsFilter.java: doFilter: 53
org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: internalDoFilter: 193
org.apache.catalina.core.ApplicationFilterChain: ApplicationFilterChain.java: doFilter: 166
org.apache.catalina.core.StandardWrapperValve: StandardWrapperValve.java: invoke: 199
org.apache.catalina.core.StandardContextValve: StandardContextValve.java: invoke: 96
org.apache.catalina.authenticator.AuthenticatorBase: AuthenticatorBase.java: invoke: 607
org.apache.catalina.core.StandardHostValve: StandardHostValve.java: invoke: 139
org.apache.catalina.valves.ErrorReportValve: ErrorReportValve.java: invoke: 92
org.apache.catalina.valves.AbstractAccessLogValve: AbstractAccessLogValve.java: invoke: 668
org.apache.catalina.core.StandardEngineValve: StandardEngineValve.java: invoke: 74
org.apache.catalina.connector.CoyoteAdapter: CoyoteAdapter.java: service: 343
org.apache.coyote.http11.Http11Processor: Http11Processor.java: service: 408
org.apache.coyote.AbstractProcessorLight: AbstractProcessorLight.java: process: 66
org.apache.coyote.AbstractProtocol$ConnectionHandler: AbstractProtocol.java: process: 770
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor: NioEndpoint.java: doRun: 1,415
org.apache.tomcat.util.net.SocketProcessorBase: SocketProcessorBase.java: run: 49
java.util.concurrent.ThreadPoolExecutor: ThreadPoolExecutor.java: runWorker: 1,149
java.util.concurrent.ThreadPoolExecutor$Worker: ThreadPoolExecutor.java: run: 624
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable: TaskThread.java: run: 61
java.lang.Thread: Thread.java: run: 748Resolution
Since this issue is happening on Secure LDAP, the behavior is caused by the Subject of the eDirectory certificate does not match the full DNS name of the actual server.
For example if the Subject on the Certificate is:
CN=Test,O=MyTree
and the DNS Name of the server is:
test.netiq.com
The two do not match and you are experiencing a side effect of java
1.8.0.181 (or later) that is now performing a more complex compare on these.
You have two (2) options:
a) update the certificate to have the Subject match the actual DNS name
(For Example: CN=Test.netiq.com, O=MyTee)
b) In the setenv(.sh/bat) in the JAVA_OPTS section add the following entry:
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Then restart Tomcat and try again.