Troubleshooting
Problem
After the upgrade to Java(TM) 7 or Java(TM) 8, a customer may encounter the Lightweight Directory Access Protocol (LDAP) errors:
- javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ip address found
- javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching hostname found
This is due to the endpoint identification algorithms is enabled by default to improve the robustness of LDAPS (secure LDAP over Transport Layer Security (TLS) ) connections. There may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer connect.
Symptom
While connecting to a LDAPS server, the error:
- javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ip address found
- javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching hostname found
is issued in situations where applications were previously able to successfully connect to an LDAPS server.
Cause
LDAP is asking Java Secure Socket Extension (JSSE) to validate the LDAP server's certificate to ensure it is compliant with hostname verification. With this change, if the server's certificate is not compliant, the exception will be thrown. In the past, LDAP did not request JSSE to perform hostname verification and a non-compliant server certificate would not have shown this error.
Resolving The Problem
In order to resolve the issue either:
- Regenerate the LDAP server certificate so that the certificate's subject alternate name or certificate's subject name matches the hostname of the LDAP server.
OR
- Disable endpoint identification by setting the system property: com.sun.jndi.ldap.object.disableEndpointIdentification=true
In the Security Directory Integrator, specify the additional system properties in the file:
Unix/Linux: <SDI_Solution_Directory>/solution.propeties or <SDI_Install_Dir>/etc/global.properties
or
Windows: <SDI_Solution_Directory>\solution.propeties or <SDI_Install_Dir>\etc\global.properties
Related Information
Product Synonym
SDI;LDAP Connector
Was this topic helpful?
Document Information
Modified date:
12 December 2022
UID
ibm11085457